A new cybersecurity analysis has revealed that dozens of endpoint detection and response (EDR) killer tools are actively exploiting trusted system components to disable security protections. Researchers have identified 54 such tools leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique by abusing at least 35 signed but vulnerable drivers.
According to ESET, these tools are increasingly being used in ransomware attacks to neutralize security software before deploying file-encrypting malware. This approach allows attackers to evade detection during one of the most critical stages of an intrusion.
Security experts note that ransomware operations, especially those operating under ransomware-as-a-service (RaaS) models, frequently release updated malware variants. However, encryption activity tends to generate noticeable system changes, making stealth difficult. To address this challenge, attackers rely on EDR killers as a separate component to disable defenses in advance.
At the core of many of these tools is the BYOVD technique, which involves loading legitimate, signed drivers that contain known vulnerabilities. Because these drivers are trusted by the operating system, they can be exploited to gain kernel-level access, giving attackers unrestricted control over system processes and memory.
With this elevated access, threat actors can terminate security services, disable endpoint protections, and manipulate system behavior without triggering alerts. This effectively undermines traditional defense mechanisms and highlights weaknesses in the driver trust model.
The analysis also found that EDR killers fall into several categories. The most common are BYOVD-based tools, followed by script-based variants that use built-in administrative commands to stop or remove security services. Other tools repurpose legitimate anti-rootkit utilities to terminate protected processes, while a newer class of driverless tools blocks communication between security solutions and their management systems.
Researchers observed that these tools are developed and distributed by a wide range of threat actors. These include closed ransomware groups, developers modifying publicly available proof-of-concept code, and cybercriminals offering EDR killers as services in underground marketplaces.
The findings underscore a growing trend in cybercrime where attackers focus more on disabling defenses than hiding their malware. By separating defense evasion from ransomware execution, threat actors can operate more efficiently and adapt quickly when detection measures change.
To mitigate these risks, organizations are advised to implement layered security strategies. This includes blocking known vulnerable drivers, monitoring for suspicious system activity, and adopting behavior-based detection mechanisms.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
