ACCORDING to Brain light via Alamy Stock Photo, researchers at Huntress detailed how threat actors weaponised the Windows kernel driver of a legitimate forensic toolset called EnCase to terminate security products across a network. The BYOVD technique leverages a driver with an expired or revoked certificate to load into Windows, exploiting a gap in Driver Signature Enforcement that attackers continue to exploit.
The EDR killer is a 64-bit Windows executable containing the EnCase driver, and it was disguised as a legitimate firmware update utility with an obfuscated payload. The attack also targeted 59 processes from major cybersecurity vendors, including Microsoft, CrowdStrike, SentinelOne, Kaspersky, Sophos and ESET, though the Huntress agent itself was not among them.
The intrusion was first detected when Huntress’s EDR platform saw the threat actor deploy the binary on an endpoint, helped by SonicWall telemetry for initial access. Mitigation steps recommended include MFA for VPN accounts, reviewing VPN logs, and enabling WDAC driver block rules and Hypervisor-protected Code Integrity in Windows. 5 February 2026.