Threat actors are increasingly deploying a new strain of EDR killer malware capable of disabling 59 popular endpoint protection products. According to Huntress researchers, the malware abuses a Windows kernel driver that was once legitimately distributed with Guidance Software’s EnCase digital forensics tool.

Although the driver is genuine, its signing certificate expired and was revoked over a decade ago. Despite this, Windows systems still permit the driver to load, making it an attractive target for attackers.

Huntress analysts identified the intrusion earlier this month and determined that attackers followed a multi-step process. They initially gained entry into the victim’s environment by authenticating to a SonicWall SSLVPN using previously stolen credentials. Once inside, the attackers conducted internal reconnaissance before deploying the EDR killer malware, which contained the vulnerable kernel driver embedded within it.

To evade detection, the malware uses a custom encoding mechanism that conceals the driver from security tools. After decoding, the driver is written to disk under a directory that resembles a legitimate OEM component. The file is hidden, its timestamps are copied from an authentic system file to avoid suspicion, and it is registered as a Windows kernel service to ensure persistence across reboots.

“Once loaded, the driver exposes an IOCTL interface that allows usermode processes to terminate arbitrary processes directly from kernel mode. This bypasses all usermode protections, including Protected Process Light (PPL) that typically guards critical system processes and EDR agents,” the researchers explained.

This attack leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, which enables adversaries to achieve kernel-level access by abusing trusted but flawed drivers. Rather than developing a malicious driver from scratch, attackers reuse legitimate drivers created by hardware vendors or software providers.

After such a driver is loaded into the kernel, its vulnerabilities or exposed interfaces can be exploited to disable security tools, weaken system defenses, or directly access system memory.

While defenders have been aware of BYOVD attacks for years, mitigating them at scale remains challenging. Windows Driver Signature Enforcement (DSE) can block unsigned or altered drivers, but it does not validate Certificate Revocation Lists (CRLs).

“This limitation exists for practical reasons: drivers load early in the boot process before network services are available, and CRL checks would significantly impact boot performance. Even when a CRL is manually imported into local certificate storage, the kernel bypasses this check entirely,” the researchers explained.

To address this gap, Microsoft maintains a Vulnerable Driver Blocklist. However, this approach has an inherent weakness: only drivers already identified as malicious are included, leaving a window of opportunity for attackers to exploit new or overlooked drivers. Microsoft also allows certain exceptions to preserve backward compatibility.

“Drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed certificate authority] are still permitted to load,” the researchers noted. “The EnCase driver’s certificate was issued on December 15, 2006, well before this cutoff.”

Huntress believes the attackers’ end goal was to deploy ransomware, but the campaign was stopped before reaching that stage. To reduce risk, the researchers recommend enabling multi-factor authentication across all remote access services and closely reviewing VPN logs for unusual activity. Organizations should also enable Memory Integrity to enforce Microsoft’s Vulnerable Driver Blocklist, watch for suspicious services masquerading as legitimate hardware components, and apply Windows Defender Application Control and Attack Surface Reduction rules to block the loading and abuse of known vulnerable drivers.