BYOVD (Vulnerable Driver) × Various EDR vendors Over 300 endpoint security products

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Various EDR vendors Over 300 endpoint security products, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Various EDR vendors Over 300 endpoint security products

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-05-03

Config / version noted

Not stated

Provenance

lyrie.ai
disclosed 2026-05-03 · original source · via exa
medium.com
disclosed 2026-05-05 · original source · via exa
medium.com
disclosed 2026-05-07 · original source · via exa
lyrie.ai
disclosed 2026-05-10 · original source · via exa
lyrie.ai
disclosed 2026-05-10 · original source · via raw
lyrie.ai
disclosed 2026-05-04 · original source · via raw
www.burgitech.com
disclosed 2026-04-14 · original source · via raw
www.decryptiondigest.com
disclosed 2026-04-08 · original source · via raw
cybersecsentinel.com
disclosed 2026-04-07 · original source · via raw
www.infosectoday.io
disclosed 2026-04-06 · original source · via raw
securereading.com
disclosed 2026-04-06 · original source · via raw
magnanet.net
disclosed 2026-04-06 · original source · via raw
news.lavx.hu
disclosed 2026-04-06 · original source · via raw
pixelift.pl
disclosed 2026-04-06 · original source · via raw
dcodezero.github.io
disclosed 2026-03-21 · original source · via raw
www.ghostshield.ai
disclosed 2026-03-19 · original source · via raw

Reported as

disable over 300 endpoint security products before encryption

Mechanism

Attackers gain initial access, then use DLL sideloading to drop a malicious DLL that loads a vulnerable signed driver (e.g., rwdrv.sys). The driver provides kernel memory access, allowing the malware to zero out EDR callback registrations (PsSetCreateProcessNotifyRoutine, etc.) and bypass Protected Process Light (PPL) to terminate security processes. Ransomware then executes in a blind environment.

Detection & mitigation

Monitor for the loading of known vulnerable drivers (e.g., rwdrv.sys) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and correlate with unexpected process terminations of security products. Mitigation includes enforcing Microsoft's vulnerable driver blocklist (via WDAC or HVCI) and restricting driver loading to only trusted, signed drivers.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.