Even though the driver's digital certificate was revoked over ten years ago, threat actors are still using the Windows kernel driver of a forensic tool to destroy security products This article explores intrusion discovered drivers. . Huntress security researchers described in a blog post on Wednesday how the company handled an intrusion earlier this month in which the threat actor gained initial access to the victim's network using compromised SonicWall SSL VPN credentials.

The real kicker, though, was how the attacker evaded detection: they disabled security products throughout the network by using the Windows kernel driver of a genuine forensic toolset called EnCase as a weapon.

The attack method, called bring-your-own-vulnerable-driver (BYOVD), entails using a driver's elevated privileges and kernel-level access to end security processes before an intrusion is discovered. Drivers, also referred to as EDR killers, are tools that threat actors have increasingly used to disable endpoint detection and response (EDR) platforms, frequently in ransomware attacks. ## How the EDR Killer Was Stopped Related: Unconventional Forecasts for 2026 Show a Grab Bag of Danger Fortunately, the intrusion was stopped before the threat actor could infect the victim network with ransomware.

Additionally, it allowed Huntress researchers to break down the attack and examine the tools used by the threat actor.

A 64-bit Windows executable that includes the EnCase driver and poses as a genuine firmware update tool is the EDR killer that the threat actor in the intrusion used. The tool also employed an intriguing obfuscation technique: the developer created a unique wordlist-based substitution cipher that changed every driver byte into an English word rather than encrypting the code. According to Pham and Agha, "this technique is particularly effective at evading static analysis tools, as the encoded payload appears to be nothing more than innocuous English text scattered throughout the binary's data section."