Tag: byovd

25 Attack Reports | 0 Vulnerabilities

Attack reports

Attackers Weaponize Microsoft Teams Relays to Stay Hidden

Attackers deploying DragonForce ransomware against a major U.S. services firm concealed their command-and-control traffic within Microsoft Teams relay infrastructure using Backdoor.Turn, a custom Go-based remote access trojan. This novel technique leverages anonymous Teams visitor tokens and TURN r…
ransomware
credential theft
byovd
dll side-loading
dragonforce
CVE-2025-1055
CVE-2025-61155
vulnerable drivers
2026-06-16
backdoor.turn
CVE-2023-52271
microsoft teams abuse
turn relay
Published: June 16, 2026
Linked vulnerabilities : CVE-2025-1055 (CVSS 5.6), CVE-2025-61155, CVE-2023-52271
Downloadable IOCs: 18

Uptick in Bomgar RMM Exploitation

Since early April 2026, security researchers have observed a significant increase in attacks targeting Bomgar remote monitoring and management instances, exploiting CVE-2026-1731, a critical vulnerability disclosed in February. Threat actors have compromised Bomgar RMM to target downstream customer…
screenconnect
ransomware
lockbit
anydesk
byovd
remote access tools
simplehelp
atera
CVE-2026-1731
2026-04-17
bomgar
msp targeting
poisonkiller
rmm exploitation
Published: April 17, 2026
Linked vulnerabilities : CVE-2026-1731 (CVSS 9.9)
Downloadable IOCs: 5

How a Tax Search Leads to Kernel-Mode AV/EDR Kill

A large-scale malvertising campaign targeting U.S. tax form searchers has been uncovered. The attack chain begins with Google Ads, using dual commercial cloaking services to evade detection. Victims are directed to rogue ScreenConnect installers, leading to a multi-stage crypter that ultimately dep…
screenconnect
malvertising
google ads
edr evasion
byovd
cloaking
kernel driver
2026-03-19
fatmalloc
hwaudkiller
tax lure
Published: March 19, 2026
Downloadable IOCs: 12

EDR killers explained: Beyond the drivers

This analysis explores the ecosystem of EDR (Endpoint Detection and Response) killers, tools used by ransomware attackers to disrupt security solutions before deploying encryptors. The research, based on almost 90 EDR killers tracked in the wild, reveals that these tools are fundamental in modern r…
malware
ransomware
cybersecurity
threat intelligence
edrkillshifter
byovd
defense evasion
edrsilencer
ms4killer
abyssworker
2026-03-19
abysskiller
cardspacekiller
dead-av
demokiller
dlkiller
edr killers
edr-freeze
ghostdriver
hexkiller
sevexkiller
smilingkiller
susanoo
tfsysmon-killer
vulnerable drivers
Published: March 19, 2026
Downloadable IOCs: 15

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, an…
ransomware
lockbit
lateral movement
cloudflare
byovd
sharepoint
tunneling
tightvnc
velociraptor
2026-03-16
yuze
Published: March 16, 2026
Downloadable IOCs: 10

Massive Winos 4.0 Campaigns Target Taiwan

A series of targeted phishing campaigns in Taiwan have been observed disseminating Winos 4.0 (ValleyRat) malware and associated plugins. The attacks exploit local business processes using themes like tax audits and e-invoices. The campaigns employ various techniques including malicious LNK files, D…
apt
phishing
dll sideloading
valleyrat
taiwan
byovd
uac bypass
winos 4.0
2026-02-22
Published: February 22, 2026
Downloadable IOCs: 11

Black Basta: Defense Evasion Capability Embedded in Ransomware Payload

A recent Black Basta ransomware campaign incorporated a bring-your-own-vulnerable-driver (BYOVD) defense evasion component within the payload itself, a departure from typical practices. The ransomware exploited a vulnerable NsecSoft NSecKrnl driver to terminate security processes. This approach, pr…
ransomware
black basta
byovd
defense evasion
vulnerable driver
CVE-2025-68947
gotohttp
2026-02-05
cardinal
nseckrnl
Published: February 5, 2026
Linked vulnerabilities : CVE-2025-68947 (CVSS 5.7)
Downloadable IOCs: 6

They Got In Through SonicWall. Then They Tried to Kill Every Security Tool

In early February 2026, an intrusion was detected where threat actors exploited compromised SonicWall SSLVPN credentials for initial network access. The attackers deployed an EDR killer utilizing a legitimate but revoked EnCase forensic driver to terminate security processes from kernel mode. This …
byovd
edr killer
sonicwall
2026-02-04
driver signature enforcement
encase
guidance software
kernel driver
sslvpn
Published: February 4, 2026
Downloadable IOCs: 2

Osiris: New Ransomware, Experienced Attackers?

A new ransomware called Osiris was used in an attack on a major food service franchisee operator in Southeast Asia in November 2025. The ransomware shares similarities with previous Inc ransomware attacks, including the use of Wasabi buckets for data exfiltration and a specific version of Mimikatz.…
ransomware
mimikatz
byovd
inc ransomware
southeast asia
abyssworker
rustdesk
2026-01-23
food service
killav
osiris
poortry
wasabi
Published: January 23, 2026
Downloadable IOCs: 17

New BYOVD loader behind DeadLock ransomware attack

A new loader exploiting a Baidu Antivirus driver vulnerability (CVE-2024-51324) has been discovered in connection with DeadLock ransomware attacks. The threat actor uses the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate endpoint detection and response processes. A PowerShell scrip…
ransomware
edr evasion
byovd
CVE-2024-51324
2025-12-10
deadlock
Published: December 10, 2025
Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8)
Downloadable IOCs: 5

Sharpening the knife: strategic evolution of GOLD BLADE

GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized …
ransomware
cyberespionage
byovd
redloader
canada
2025-12-06
qwcrypt
recruitment platforms
terminator
zemana driver
Published: December 6, 2025
Downloadable IOCs: 28

The DragonForce Cartel: Scattered Spider at the gate

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate pro…
social engineering
ransomware
encryption
conti
byovd
dragonforce
affiliate program
mamona
devman
2025-11-05
scattered spider
global
cartel
Published: November 5, 2025
Downloadable IOCs: 0

Jewelbug: Chinese APT Group Widens Reach to Russia

A Chinese APT group named Jewelbug has expanded its operations to target organizations in South America, South Asia, Taiwan, and Russia. The group's recent intrusion into a Russian IT service provider lasted for five months in 2025, potentially aiming for a supply chain attack. Jewelbug has deploye…
dll sideloading
byovd
squidoor
2025-10-24
Published: October 24, 2025
Downloadable IOCs: 27

Technical Analysis of kkRAT

A malware campaign targeting Chinese-speaking users has been identified, delivering three types of malware: ValleyRAT, FatalRAT, and kkRAT. The campaign uses fake installer pages to distribute the malware. kkRAT, a new Remote Access Trojan, shares similarities with Ghost RAT and Big Bad Wolf. It em…
valleyrat
byovd
remote access trojan
chinese-speaking
fatalrat
ghost rat
2025-09-10
kkrat
big bad wolf
Published: September 10, 2025
Downloadable IOCs: 0

Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable driver to evade endpoint protection. The attackers used a Microsoft-signed WatchDog Antimalware driver to terminate protected processes on fully updated Windows systems. A dual-…
valleyrat
edr evasion
byovd
process termination
vulnerable driver
kernel exploitation
driver abuse
2025-08-28
signature manipulation
Published: August 28, 2025
Downloadable IOCs: 16

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Dr…
ransomware
zero-day
vpn
akira
byovd
drivers
sonicwall
2025-08-08
av/edr evasion
Published: August 8, 2025
Downloadable IOCs: 2

ThrottleStop driver abused to terminate AV processes

A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack bega…
ransomware
byovd
medusalocker
kernel exploitation
2025-08-06
CVE-2025-7771
driver abuse
av killer
throttlestop
Published: August 6, 2025
Downloadable IOCs: 0

Qilin Ransomware and the Hidden Dangers of BYOVD

This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring…
ransomware
qilin
byovd
raas
2025-07-31
Published: July 31, 2025
Downloadable IOCs: 7

CrazyHunter Campaign Targets Taiwanese Critical Sectors

The CrazyHunter ransomware group has emerged as a significant threat, specifically targeting Taiwanese organizations in healthcare, education, and industrial sectors. The group employs sophisticated techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method, to bypass security measur…
ransomware
taiwan
byovd
prince ransomware
2025-04-16
zammocide
prince ransomware builder
critical sectors
open-source tools
gpo exploitation
Published: April 16, 2025
Downloadable IOCs: 9

How ToddyCat tried to hide behind AV software

The ToddyCat APT group has developed a sophisticated tool called TCESB to stealthily execute payloads and evade detection. This tool exploits a vulnerability (CVE-2024-11859) in ESET Command line scanner for DLL proxying, using a modified version of the open-source EDRSandBlast malware. TCESB emplo…
byovd
2025-04-07
CVE-2024-11859
kernel manipulation
dll proxying
CVE-2021-36276
tcesb
eset
edrsandblast
Published: April 7, 2025
Downloadable IOCs: 0

Shifting the sands of RansomHub's EDRKillShifter

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers le…
ransomware
bianlian
medusa
edrkillshifter
systembc
grixba
byovd
play
2025-03-27
scransom
Published: March 27, 2025
Downloadable IOCs: 0

EDR Bypass Testing Reveals Extortion Actor's Toolkit

Unit 42 investigated an extortion attempt where threat actors tested an AV/EDR bypass tool on rogue systems with Cortex XDR installed. The actors purchased network access via Atera RMM and used a BYOVD technique for the bypass tool. Researchers gained visibility into the actors' systems, uncovering…
extortion
cobalt strike
rclone
mimikatz
conti
sharphound
rubeus
byovd
2024-11-02
cortex xdr
safetykatz
cybercrime forums
threat actor profiling
av/edr bypass
Published: November 2, 2024
Downloadable IOCs: 0

Embargo ransomware: Rock'n'Rust

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively ne…
ransomware
rust
byovd
raas
2024-10-23
embargo ransomware
edr killer
safe mode abuse
ms4killer
mdeployer
Published: October 23, 2024
Downloadable IOCs: 0

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a cre…
ransomware
credential harvesting
edr
ransomhub
byovd
2024-09-11
lazagne
tdsskiller
network segmentation
Published: September 11, 2024
Downloadable IOCs: 2

BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

The BlackByte ransomware group continues leveraging established tactics and vulnerable drivers to bypass security controls, while also incorporating newly disclosed vulnerabilities and using stolen credentials for propagation. A new iteration of their encryptor appends the 'blackbytent_h' extension…
ransomware
worm
CVE-2024-37085
authentication
2024-08-28
byovd
exbyte
blackbytent
Published: August 28, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports