ClickFix's Mushrooming Ecosystem Demands New Defense Tactics
The attack vector is available for rent at scale, and evades AV and EDR, leaving YARA analysis as the best detection option.
Stay informed on the latest in Endpoint Detection & Response (EDR): Expert insights, attack prevention, and advanced threat management solutions.
Search across headline titles and summaries.
Background for this topic.
Endpoint Detection and Response (EDR) is software that records endpoint activity—such as process launches, file changes, scripts, logins, and network connections—to detect suspicious behavior and support investigation. It can alert analysts, trace an intrusion across affected devices, and take actions such as isolating an endpoint or terminating a process. Its purpose is to reduce attacker dwell time and limit movement after an endpoint is compromised.
EDR is most useful against techniques that evade simple antivirus signatures, but it is not a guarantee of visibility: attackers may exploit unmonitored devices, disable or tamper with an agent, or blend into legitimate administration. Effective deployment requires broad, maintained coverage; protected agents and access controls; sensible alert tuning; and retention of telemetry for threat hunting and scoping incidents. Organizations should regularly test isolation and response actions, address agent and endpoint vulnerabilities, and account for the privacy and access implications of collecting detailed user and device activity.
Weekly headline count for the current query.
The attack vector is available for rent at scale, and evades AV and EDR, leaving YARA analysis as the best detection option.
macos-xpc-flaw-disable-edr-mdm-standard-user-xm-cyber
ESET details GentleKiller, the EDR-killer framework the Gentlemen ransomware gang gives affiliates
It’s Monday again
The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor
The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks. [...]
Eset Links Group's Growth to Integrated Endpoint-Killing ToolsEset researchers say the rapidly growing Gentlemen ransomware operation differentiates itself by supplying affiliates with a standardized EDR-killer suite that disables security tools, quickly incorporates newly disclosed vulnerable drivers and helps scale attacks across multiple regions worldwide.
Python scripts were used to test malware against endpoint detection and response agents from Sophos, CrowdStrike, and Windows Defender.
A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions. [...]
A threat actor used AI coding tools to build and test EDR evasion malware, Sophos finds
Most organizations now recognize that endpoint protection alone is no longer sufficient
Stopping EDR killers, which employ bring-your-own-vulnerable-driver (BYOVD) attack techniques, is difficult, but not impossible.
Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro
A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique
A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 35 vulnerable drivers
Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week feels familiar in a slightly annoying way. Old tricks are getting polished. New research shows how
BlackSanta malware targets HR staff with fake resumes, kills EDR and steals system data
For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta. [...]
A new technique dubbed "Zombie ZIP" helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products. [...]
Russian-speaking attackers lure HR staff into downloading ISO files that disable defenses A Russian-speaking cyber criminal is targeting corporate HR teams with fake CVs that quietly install malware which can disable security tools before stealing data from infected machines.…