EDR Killers Are Getting Smarter: 54 Tools Now Using Signed Drivers to Bypass Security

Page content

EDR Killers Are Getting Smarter: 54 Tools Now Using Signed Drivers to Bypass Security

I’ve been tracking some concerning developments in the security space this week, and there’s one story that really caught my attention. We’re seeing a significant evolution in how attackers are dismantling our defenses, particularly when it comes to endpoint detection and response systems.

The BYOVD Problem Just Got Worse

A new analysis shows that 54 different EDR killer tools are now using the “bring your own vulnerable driver” (BYOVD) technique, exploiting a total of 34 signed but vulnerable drivers to disable security software. If you’re not familiar with BYOVD, it’s essentially attackers bringing legitimate, digitally signed drivers that happen to have security flaws, then exploiting those flaws to gain kernel-level access.

What makes this particularly troublesome is that these aren’t some obscure, theoretical attack tools. EDR killers have become standard equipment in ransomware operations, giving affiliates a reliable way to neutralize our security software before they deploy their file-encrypting payloads.

The fact that we’re seeing 54 different tools using this technique tells me this isn’t just a few sophisticated groups anymore – it’s becoming commoditized. When attack techniques become this widespread, it usually means the barrier to entry has dropped significantly.

Meanwhile, New Players Enter the Endpoint Game

Speaking of endpoint security, there’s some interesting movement on the defensive side too. A company called 1stProtect just emerged from stealth mode with $20 million in funding, promising an endpoint security platform that monitors behavior and verifies user intent to stop attacks in real time.

I’m always a bit skeptical when I see “real-time” and “user intent verification” in the same sentence – we’ve heard similar promises before. But given what we’re seeing with EDR killers becoming more sophisticated, there’s definitely room for innovation in how we approach endpoint protection. The traditional signature-based and even behavior-based approaches are clearly struggling against these kernel-level attacks.

North Korean Groups Stay Busy

The Lazarus group continues to make headlines, this time with Bitrefill (a crypto-powered gift card service) attributing an attack from earlier this month to the North Korean Bluenoroff subgroup.

What’s interesting here isn’t just that it’s another Lazarus attack – we see those regularly. It’s that they’re continuing to target cryptocurrency-adjacent services. These groups have shown they’re particularly good at adapting their tactics to whatever financial systems are available, and the crypto space continues to be a rich target environment for them.

Mobile Banking Under Siege

On the mobile front, we’re seeing what researchers are calling a “global mobile banking malware surge” with over 1,200 financial apps being targeted worldwide. The attackers are shifting their fraud operations directly to user devices, which makes sense from their perspective – it’s often easier to compromise a phone than to break through enterprise-grade banking security.

This trend worries me because mobile security is still the wild west in many organizations. We’ve spent years hardening our network perimeters and endpoints, but mobile devices often get treated as afterthoughts in our security strategies. Yet they’re increasingly where our users are doing their most sensitive work.

International Sanctions Expand

Finally, the EU has joined the US and UK in sanctioning companies in China and Iran for cyberattacks. These sanctions prohibit the companies and some of their principals from entering or doing business in the European Union.

While sanctions are important from a diplomatic standpoint, I’m not sure how much they actually change the day-to-day threat landscape we’re dealing with. The groups behind these attacks are usually pretty good at compartmentalizing their operations and working around international restrictions.

What This Means for Us

Looking at these stories together, I see a few clear patterns. First, attackers are getting better at operating at the kernel level, using legitimate signed drivers to bypass our security controls. This suggests we need to think more carefully about driver allowlisting and monitoring kernel-level activity.

Second, the mobile attack surface continues to expand faster than our defenses. If your organization doesn’t have a solid mobile device management and security strategy, now’s the time to prioritize it.

Finally, the commoditization of advanced attack techniques means we can’t assume that sophisticated methods like BYOVD are limited to nation-state actors anymore. Ransomware affiliates and other criminal groups are adopting these techniques quickly.

The good news is that awareness of these issues is growing, and we’re seeing investment in new defensive approaches. But we definitely have our work cut out for us.

Sources