vulnerable driver Archives

Tech Optimizer

November 6, 2025

DragonForce Cartel Emerges Following Conti v3 Ransomware Source Code Leak

Acronis Threat Research Unit (TRU) analyzed the DragonForce ransomware cartel, which emerged in 2023 as a Ransomware-as-a-Service (RaaS) operation and transitioned to a cartel model. DragonForce utilizes leaked Conti v3 code and has similarities with LockBit Green in encryption and backend configurations. By early 2025, it rebranded as the “DragonForce Ransomware Cartel,” offering affiliates 80 percent profit shares and infrastructure support. The cartel has over 200 victims from various sectors since late 2023 and is known for its attack on Marks & Spencer, collaborating with Scattered Spider. DragonForce employs bring-your-own-vulnerable-driver (BYOVD) techniques to evade endpoint protection and has improved its encryption methods. The group has spawned offshoots like Devman and Mamona, which utilize its enhanced encryptor.

Winsage

October 16, 2025

U.S. CISA adds SKYSEA Client View, Rapid7 Velociraptor, Microsoft Windows, and IGEL OS flaws to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include several critical flaws: - CVE-2016-7836: SKYSEA Client View Improper Authentication Vulnerability - CVE-2025-6264: Rapid7 Velociraptor Incorrect Default Permissions Vulnerability - CVE-2025-24990: Microsoft Windows Untrusted Pointer Dereference Vulnerability - CVE-2025-47827: IGEL OS Use of a Key Past its Expiration Date Vulnerability - CVE-2025-59230: Microsoft Windows Improper Access Control Vulnerability Details of the vulnerabilities include: - CVE-2016-7836 allows remote code execution due to inadequate authentication in SKYSEA Client View. - CVE-2025-6264 permits arbitrary command execution in Rapid7 Velociraptor, potentially leading to endpoint takeover. - CVE-2025-24990 and CVE-2025-59230 are zero-day vulnerabilities in Microsoft Windows that facilitate privilege escalation. - CVE-2025-47827 impacts IGEL OS, allowing for a Secure Boot bypass and potential deployment of kernel-level rootkits. Federal agencies must address these vulnerabilities by November 4, 2025, as per Binding Operational Directive (BOD) 22-01. Private organizations are also advised to review the KEV catalog for necessary actions.

Tech Optimizer

September 24, 2025

EDR Bypass Technique Puts Antivirus Tools To Sleep

Endpoint detection and response (EDR) systems and antivirus protections are increasingly targeted by threat actors using sophisticated techniques. A new method called EDR-Freeze has been introduced, which utilizes Windows Error Reporting and the MiniDumpWriteDump function to hibernate antivirus processes without needing to install vulnerable drivers. This technique operates entirely in user mode and was disclosed by an anonymous researcher known as Two One Seven Three on Zero Salarium. The MiniDumpWriteDump function can suspend all threads within a target process during the dump process, which is crucial to avoid memory corruption. The researcher faced challenges with the rapid execution of MiniDumpWriteDump and the security measures protecting EDR and antivirus processes. By reverse-engineering the WerFaultSecure program, the researcher enabled MiniDumpWriteDump for any chosen process and integrated it with the CreateProcessAsPPL tool to bypass Protected Process Light (PPL) protections. The researcher proposed a race condition attack consisting of four steps: executing WerFaultSecure with WinTCB-level protection, configuring it to dump the target process, monitoring the target process until it is suspended, and then suspending the WerFaultSecure process. A tool to execute this exploit is available on GitHub, and another researcher has developed a KQL rule for its detection. The EDR-Freeze technique exploits a vulnerability in the WerFaultSecure program, addressing the weaknesses of the BYOVD method and allowing flexible control over EDR and antivirus programs.

Winsage

September 22, 2025

New EDR-Freeze tool uses Windows WER to suspend security software

A new technique called EDR-Freeze allows evasion of security solutions through Microsoft's Windows Error Reporting (WER) system, enabling attackers to suspend endpoint detection and response (EDR) tools without relying on vulnerable drivers. Security researcher TwoSevenOneThree utilized the WER framework and the MiniDumpWriteDump API to indefinitely suspend EDR and antivirus processes by exploiting the WerFaultSecure component, which operates with Protected Process Light (PPL) privileges. The method involves spawning WerFaultSecure, invoking MiniDumpWriteDump on the target process, monitoring the target until it is suspended, and then freezing the dumper. A tool has been developed to automate this process, successfully tested on Windows 11 24H2, which froze the Windows Defender process. To mitigate this attack, monitoring WER for identifiers linked to sensitive processes is recommended, and security researcher Steven Lim has created a tool to map WerFaultSecure to Microsoft Defender Endpoint processes. Microsoft has the opportunity to enhance these components against misuse by implementing restrictions on suspicious invocations.

Tech Optimizer

September 22, 2025

Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has developed a tool called EDR-Freeze that allows for the temporary disabling of endpoint detection and response (EDR) systems and antivirus software without using vulnerable drivers. EDR-Freeze exploits the Windows Error Reporting functionality to execute a race condition attack that suspends security processes, specifically targeting the WerFaultSecure.exe process. The tool can successfully suspend the MsMpEng.exe process of Windows Defender on Windows 11 24H2. It operates entirely within user-mode and uses legitimate Windows components, making detection more difficult for security teams. The source code for EDR-Freeze is publicly available on GitHub, intended for legitimate security research, but poses risks of misuse by malicious actors. Security teams are advised to monitor for suspicious activity related to WerFaultSecure.exe and to enhance their process protection mechanisms.

Tech Optimizer

September 21, 2025

New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State

EDR-Freeze is a proof-of-concept tool developed by Zero Salarium that can place Endpoint Detection and Response (EDR) and antivirus solutions into a suspended state. It utilizes the MiniDumpWriteDump function from the Windows DbgHelp library to achieve this by extending the suspension of target processes. The tool circumvents the Protected Process Light (PPL) security feature using WerFaultSecure.exe, which operates at a high privilege level. By launching WerFaultSecure.exe with specific parameters, EDR-Freeze can monitor and suspend it, preventing the target EDR or antivirus process from resuming. A test on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender. Detecting this technique involves monitoring for unusual executions of WerFaultSecure.exe targeting sensitive process IDs.

Tech Optimizer

September 15, 2025

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks

Chinese-speaking users are experiencing a sophisticated SEO poisoning campaign that uses counterfeit software sites to spread malware. Researchers from Fortinet FortiGuard Labs discovered this activity in August 2025, which involves manipulating search rankings to redirect users to fraudulent sites that deliver malware through trojanized installers. The malware families identified include HiddenGh0st and Winos, both variants of the Gh0st RAT, linked to a cybercrime group known as Silver Fox. The attack mechanism involves a script named nice.js that orchestrates the malware delivery process, leading to the installation of a malicious DLL, "EnumW.dll," which performs anti-analysis checks and extracts another DLL, "vstdlib.dll." This second DLL inflates memory usage to evade detection and is responsible for launching the main payload. The malware aims to sideload a DLL, "AIDE.dll," which establishes a Command-and-Control (C2) communication, collects victim data, and monitors user activity. Additionally, a separate campaign targeting Chinese-speaking users has been flagged by Zscaler ThreatLabz, featuring a new malware called kkRAT. This malware shares code similarities with Gh0st RAT and employs fake installer pages to deliver multiple trojans. It uses techniques to bypass security software and targets specific antivirus programs, including 360 Total Security and Kingsoft Internet Security. The installer launches shellcode that retrieves additional malicious payloads, including kkRAT, which can perform various data-gathering tasks and manipulate clipboard data to replace cryptocurrency addresses.

Tech Optimizer

September 2, 2025

New malware exploits trusted Windows drivers to get around security systems – here’s how to stay safe

The Chinese threat group Silver Fox has exploited the WatchDog Antimalware driver to disable antivirus and endpoint detection tools as part of a strategy called "Bring Your Own Vulnerable Driver." They have also targeted the Zemana Anti-Malware driver (ZAM.exe) to ensure compatibility across Windows 7, 10, and 11. Initial infection methods are speculated to involve phishing or social engineering. The attackers used infrastructure in China to host loader binaries with anti-analysis features, which included hardcoded lists of targeted security processes for termination and facilitated the deployment of ValleyRAT malware. Check Point Research noted that the exploitation of the WatchDog driver has evolved, prompting WatchDog to release an update for a local privilege escalation flaw, although concerns about arbitrary process termination persist. IT teams are advised to update blocklists, implement YARA detection rules, and monitor network traffic to mitigate risks.

Winsage

August 30, 2025

Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV

In mid-2025, a campaign attributed to the Silver Fox Advanced Persistent Threat (APT) began exploiting a vulnerable Microsoft-signed WatchDog Antimalware driver (amsdk.sys, version 1.0.600) to compromise modern Windows environments. The attackers use the driver's arbitrary process termination capability to bypass endpoint detection and antivirus protections on fully patched Windows 10 and 11 systems. The attack starts with a loader that checks for virtual machines and sandboxes before dropping two drivers into a new directory. These drivers are registered as kernel services, and the loader ensures persistence. The campaign's logic then terminates security service processes by exploiting the driver's vulnerabilities, allowing the injection of a ValleyRAT downloader module that connects to Chinese-hosted C2 servers. After the vulnerability was disclosed, a patched driver (wamsdk.sys, version 1.1.100) was released, but Silver Fox adapted by modifying the driver's signature timestamp to evade detection while maintaining the signature's validity.

Tech Optimizer

August 30, 2025

Hackers found a way to turn off Windows Defender remotely

Most modern Windows PCs rely on Microsoft Defender for malware protection. A hacker group has exploited a legitimate Intel CPU tuning driver in a "Bring Your Own Vulnerable Driver" (BYOVD) attack to disable Microsoft Defender. This method has been observed since mid-July 2025 and is used in active ransomware campaigns. The Akira ransomware group utilizes the Intel driver rwdrv.sys from ThrottleStop to gain kernel-level access, then installs a malicious driver hlpdrv.sys to modify the DisableAntiSpyware registry setting, effectively shutting down Microsoft Defender. Akira has also targeted SonicWall VPN devices, exploiting the known vulnerability CVE-2024-40766. Security firm GuidePoint has identified this method in Akira campaigns and has published detection rules and indicators for monitoring. Recommendations for protection include using strong antivirus software, limiting exposure to threats, avoiding unexpected commands, keeping software updated, using two-factor authentication, and investing in personal data removal services.