Category: Uncategorized

A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 34 vulnerable drivers.

EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware. This is done so in an attempt to evade detection.

“Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming,” ESET researcher Jakub Souček said in a report shared with The Hacker News.

“More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging.”

EDR killers act as a specialized, external component that’s run to disable security controls before executing the lockers themselves, thereby keeping the latter simple, stable, and easy to rebuild. That’s not to say there have not been instances where EDR termination and ransomware modules have been fused into one single binary. Reynolds ransomware is a case in point.

A majority of the EDR killers rely on legitimate yet vulnerable drivers to gain elevated privileges and achieve their goals. Among the nearly 90 EDR killer tools detected by the Slovakian cybersecurity company, more than half of them utilize the well-known BYOVD tactic simply because it’s reliable.

“The goal of a BYOVD attack is to gain kernel-mode privileges, often called Ring 0,” Bitdefender explains. “At this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they ‘bring’ a driver signed by a reputable vendor (such as a hardware manufacturer or an old antivirus version) that has a known vulnerability.”

Armed with the kernel access, threat actors can terminate EDR processes, disable security tools, tamper with kernel callbacks, and undermine endpoint protections. The result is an abuse of Microsoft’s driver trust model to evade defenses, taking advantage of the fact that the vulnerable driver is legitimate and signed.

The BYOVD-based EDR killers are primarily developed by three types of threat actors –

• Closed ransomware groups like DeadLock and Warlock that do not rely on affiliates
• Attackers forking and tweaking existing proof-of-concept code (e.g., SmilingKiller and TfSysMon-Killer)
• Cybercriminals marketing such tools on underground marketplaces as a service (e.g., DemoKiller aka Бафомет, ABYSSWORKER, and CardSpaceKiller) 

ESET said it also identified script-based tools that make use of built-in administrative commands like taskkill, net stop, or sc delete to interfere with the regular functioning of security product processes and services. Select variants have also been found to combine scripting with Windows Safe Mode.

“Since Safe Mode loads only a minimal subset of the operating system, and security solutions typically aren’t included, malware has a higher chance of disabling protection,” the company noted. “At the same time, such activity is very noisy, as it requires a reboot, which is risky and unreliable in unknown environments. Therefore, it is seen only rarely in the wild.”

The third category of EDR killers are anti-rootkits, which include legitimate utilities such as GMER, HRSword, and PC Hunter, that offer an intuitive user interface to terminate protected processes or services. A fourth, emerging class is a set of driverless EDR killers like EDRSilencer and EDR-Freeze that block outbound traffic from EDR solutions and cause the programs to enter a “coma” like state.

“Attackers aren’t putting much effort into making their encryptors undetected,” ESET said. “Rather, all the sophisticated defense-evasion techniques have shifted to the user-mode components of EDR killers. This trend is most visible in commercial EDR killers, which often incorporate mature anti-analysis and anti-detection capabilities.”

To combat ransomware and EDR killers, blocking commonly misused drivers from loading is a necessary defense mechanism. However, given that EDR killers are executed only at the last stage and just before launching the encryptor, a failure at this stage means the threat actor can easily switch to another tool to accomplish the same task.

The implication is that organizations need layered defenses and detection strategies in place to proactively monitor, flag, contain, and remediate the threat at each every stage of the attack lifecycle.

“EDR killers endure because they’re cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don’t need to focus on making their encryptors undetectable, and affiliates, who possess an easy-to-use, powerful utility to disrupt defenses prior to encryption,” ESET said.

Ravie LakshmananMar 19, 2026Cyber Espionage / Threat Intelligence

Cybersecurity researchers have flagged a new malware dubbed Speagle that hijacks the functionality and infrastructure of a legitimate program called Cobra DocGuard.

“Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server,” Symantec and Carbon Black researchers said in a report published today.

Cobra DocGuard is a document security and encryption platform developed by EsafeNet. The abuse of this software in real-world attacks has been publicly recorded twice to date. In January 2023, ESET documented an intrusion where a gambling company in Hong Kong was compromised in September 2022 via a malicious update pushed by the software.

Later that August, Symantec highlighted the activity of a new threat cluster codenamed Carderbee, which was found using a trojanized version of the program to deploy PlugX, a backdoor widely used by Chinese hacking groups like Mustang Panda. The attacks targeted multiple organizations in Hong Kong and other Asian countries.

Speagle remains unattributed to date. But what makes the malware noteworthy is that it’s designed to gather and exfiltrate data from only those systems that have the Cobra DocGuard data protection software installed. The activity is being tracked under the moniker Runningcrab.

“This indicates deliberate targeting, possibly to facilitate intelligence collection or industrial espionage,” the Broadcom-owned threat hunting teams said. “At present, we believe the most likely hypotheses are that it is either the work of a state-sponsored actor or the work of a private contractor available for hire.”

Exactly how the malware is delivered to victims is unknown, although it’s suspected that it may have been done via a supply chain attack, as evidenced by the two aforementioned cases. 

In addition, the central role played by the security software and its infrastructure deserves a mention. Not only does Speagle use a legitimate Cobra DocGuard server for command-and-control (C2) and as a data exfiltration point, it also invokes a driver associated with the program to delete itself from the compromised host.

The 32-bit .NET executable, once launched, first checks the installation folder of Cobra DocGuard and then proceeds to harvest and transmit data from the infected machine in phases. This includes details about the system and files located in specific folders, such as those that contain web browser history and autofill data.

What’s more, one variant of Speagle has been found to incorporate additional functionality to turn on/off certain types of data collection, as well as search for files related to Chinese ballistic missiles like Dongfeng-27 (aka DF-27).

“Speagle is a novel, parasitic threat that cleverly makes use of Cobra DocGuard’s client to mask its malicious activity and its infrastructure to hide exfiltration traffic,” researchers said. “Its developer no doubt took notice of previous supply chain attacks using the software and may have selected it both for its perceived vulnerability and its high rate of use among targeted organizations.”

By Sharon Zhang

This article was originally published by Truthout

Reports say Arab countries are furious that the US gave the go ahead to Israel’s strike on a key gas facility this week.

Arab countries are fuming after the U.S. and Israel escalated their war on Iran with an attack on a key natural gas field this week, an attack that Arab states reportedly sought to prevent in order to head off further chaos in the global energy industry.

The Wall Street Journal reports that Arab countries were “furious” about Israel’s attack on the South Pars natural gas field on Wednesday. The field provides most of Iran’s natural gas, serving as a lifeline for the country after decades of heavy sanctions on its energy by the U.S. The natural gas field is the largest in the world, and is co-owned by Qatar.

The attack represents a major escalation of the war, and Iran retaliated by striking several oil and gas infrastructure sites across the region, after giving warnings that they were doing so. This includes an attack on the Ras Laffan gas facility in Qatar, the world’s largest liquefied natural gas (LNG) production facility. Roughly 20 percent of the world’s LNG supply is produced at the facility.

Iran also struck oil and gas infrastructure in Saudi Arabia, the United Arab Emirates, and Kuwait, among other countries.

WSJ, citing unnamed officials, reported that Arab countries were angered by “the U.S. failure to head [Israel’s attack] off” and “had aggressively lobbied the Trump administration to stop U.S. and Israeli strikes on Iranian energy infrastructure and now feel a target has been put on their backs.” 

Qatari Ministry of Foreign Affairs spokesperson Majed al-Ansari said that Israel’s attack is “a dangerous & irresponsible step” in a statement on X. “Targeting energy infrastructure constitutes a threat to global energy security,” al-Ansari said, urging de-escalation. Qatar also condemned Iran’s retaliation, ordering several Iranian military and diplomatic officials to leave Qatar within 24 hours.

The UAE’s Ministry of Foreign Affairs said in a statement that Israel’s attack is a “serious escalation,” and represents targeting of civilian infrastructure.

Qatar’s state owned QatarEnergy said on Thursday that Iranian attacks have taken out 17 percent of the company’s exports. The company said it would have to declare force majeure in order to cancel contracts with Italy, Belgium, South Korea, and China, meaning that it would invoke clauses that allow the company to pull out due to extraordinary circumstances. 

The damages will take three to five years to repair and cost tens of billions of dollars, according to QatarEnergy’s CEO and the state’s minister for energy affairs, Saad al-Kaabi. Al-Kaabi expressed frustration that Iran, a “brotherly Muslim country,” would attack Qatar’s facilities this way during Ramadan. “If Israel ​attacked Iran, it’s between Iran and Israel. It has nothing to do with us ​and the region,” al-Kaabi told Reuters. 

President Donald Trump, potentially sensing the anger from Arab countries, has sought to distance himself from Israel’s South Pars strike. In a post on Truth Social on Wednesday evening, Trump said that Israel “violently lashed out” and that it would not be attacking that field again. 

He also claimed that the U.S. “knew nothing about this particular attack,” but reporting contradicts this claim. Numerous outlets, citing Israeli and U.S. officials, have reported that the attack was carried out in coordination with the U.S. WSJ even reported that Trump himself approved the strike, and that it was done “to pressure Iran to unblock the Strait of Hormuz.”

Trump’s backtracking comes after oil and gas prices once again spiked after Israel’s strike, rising after what has already been a historically fast price change caused by the war.

---

This article was originally published by Truthout and is licensed under Creative Commons (CC BY-NC-ND 4.0). Please maintain all links and credits in accordance with our republishing guidelines.