BYOVD (Vulnerable Driver) × SentinelOne Singularity

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing SentinelOne Singularity, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SentinelOne Singularity

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

Critical

Status

in the wild

Disclosed

2025-08-07

Config / version noted

Not stated

Provenance

mine2.io
disclosed 2025-08-08 · original source · via raw
zendata.security
disclosed 2025-08-08 · original source · via raw
cyberpress.org
disclosed 2025-08-07 · original source · via raw
www.bleepingcomputer.com
disclosed 2025-08-07 · original source · via raw

Reported as

terminates EDR/AV processes, disabling endpoint defenses

Mechanism

HeartCrypt is delivered via droppers or trojanized utilities. It decodes and launches an obfuscated binary that loads a vulnerable signed driver (BYOVD) impersonating trusted security software (e.g., CrowdStrike Falcon). The kernel driver then terminates EDR/AV processes, disabling endpoint defenses. Multi-stage packing and resource encryption evade detection.

Detection & mitigation

Monitor for mass termination of security processes and services; alert on loading of drivers with revoked, expired, or untrusted certificates, especially those impersonating known security vendors. Enforce strict driver-signing policies and application allowlisting to block unauthorized binaries.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.