BYOVD Attacks in 2026: How Hackers Use Signed Drivers to Kill EDR

BYOVD Attacks in 2026: How Hackers Exploit Signed Drivers to Bypass EDR

"54 EDR killers exploiting 35 signed vulnerable drivers—how attackers are winning the cat-and-mouse game."

This headline, making waves in cybersecurity circles recently, underscores a growing threat: Bring Your Own Vulnerable Driver (BYOVD) attacks. In 2026, these attacks have surged, with threat actors increasingly leveraging legitimate, signed drivers to bypass modern Endpoint Detection and Response (EDR) tools. The result? A stealthy, effective method for disabling security defenses and gaining unfettered access to systems.

But what exactly is a BYOVD attack, and why has it become such a pressing concern this year? More importantly, how can organizations detect and mitigate these threats before they lead to a full-blown breach?

---

What Is a BYOVD Attack?

A Bring Your Own Vulnerable Driver (BYOVD) attack is a technique where threat actors exploit legitimate, signed drivers containing known vulnerabilities to execute malicious activities in the kernel mode of an operating system. Because these drivers are signed by trusted vendors (e.g., Microsoft, hardware manufacturers), they bypass security checks, allowing attackers to:

• Disable EDR/XDR tools by terminating security processes or manipulating kernel callbacks.
• Escalate privileges to SYSTEM level, granting full control over the compromised machine.
• Install rootkits or bootkits for persistent access.
• Bypass security features like Hypervisor-Protected Code Integrity (HVCI) and Secure Boot.

The rise of BYOVD attacks in 2026 is no accident. It’s a direct response to the increasing effectiveness of modern EDR solutions. As security vendors harden user-mode defenses, attackers have shifted their focus to the kernel, where detection is far more challenging.

---

Why BYOVD Attacks Are Surging in 2026

Several factors have contributed to the recent spike in BYOVD attacks:

1. Abundance of Vulnerable Signed Drivers

   • Researchers have identified over 35 signed drivers actively exploited in the wild, with new ones emerging regularly. Many of these drivers were never intended for malicious use but contain flaws that attackers can weaponize.
   • Example: RTCore64.sys (used in BlackByte ransomware attacks) and gdrv.sys (abused by RobbinHood ransomware) have become go-to tools for threat actors.

2. Microsoft’s Driver Signing Policy

   • Microsoft requires drivers to be digitally signed to load in Windows. While this policy improves security, it also creates a trust paradox: attackers abuse this trust by exploiting signed drivers that contain vulnerabilities.
   • Even if Microsoft revokes a driver’s signature, attackers can still use older, vulnerable versions that remain trusted on many systems.

3. EDR Evasion Tactics Are Evolving

   • Traditional malware often operates in user mode, where EDR tools can easily detect suspicious behavior. BYOVD attacks, however, operate in kernel mode, where visibility is limited.
   • Attackers can disable EDR hooks, manipulate process lists, and bypass PatchGuard (Microsoft’s kernel protection mechanism), making detection nearly impossible without specialized tools.

4. Ransomware and APT Groups Are Adopting BYOVD

   • Ransomware gangs (e.g., BlackByte, LockBit) use BYOVD to disable security tools before encrypting files.
   • Advanced Persistent Threat (APT) groups (e.g., Lazarus Group) leverage BYOVD for espionage and data exfiltration.

According to a recent report from CrowdStrike, BYOVD attacks increased by over 40% in 2025, with no signs of slowing down in 2026.

---

How BYOVD Attacks Work: The Anatomy of an EDR Bypass

To understand why BYOVD attacks are so effective, let’s break down a typical attack chain:

Step 1: Identify a Vulnerable Signed Driver

Attackers start by selecting a driver with known vulnerabilities. Popular sources include:

• LOLDrivers.io – A curated list of abused drivers.
• Microsoft’s Vulnerable Driver Blocklist – A list of drivers Microsoft has flagged as risky.
• GitHub repositories – Some attackers reverse-engineer drivers to find new vulnerabilities.

Step 2: Load the Driver into the Kernel

Since the driver is signed, Windows allows it to load without raising alarms. Attackers use tools like:

• SharpLoader – A .NET-based tool for loading drivers.
• EDRKill – An open-source tool designed to disable EDR processes.

Step 3: Exploit the Driver’s Vulnerabilities

Once loaded, the attacker exploits the driver’s flaws to:

• Gain arbitrary read/write access to kernel memory.
• Escalate privileges to SYSTEM (the highest privilege level in Windows).
• Disable EDR hooks by manipulating kernel callbacks or terminating security processes.

Step 4: Disable EDR and Establish Persistence

With EDR out of the way, attackers can:

• Deploy ransomware (e.g., BlackByte, LockBit).
• Install a rootkit for long-term access.
• Exfiltrate data without detection.

---

Real-World Examples: How Attackers Use BYOVD

Case Study 1: BlackByte Ransomware and RTCore64.sys

In a recent attack, the BlackByte ransomware gang used RTCore64.sys, a driver from Micro-Star MSI Afterburner, to disable security tools. Here’s how it worked:

1. The attacker gained initial access via phishing.
2. They loaded RTCore64.sys, which allowed them to read and write kernel memory.
3. Using this access, they disabled Windows Defender and CrowdStrike Falcon.
4. Finally, they deployed ransomware and encrypted the victim’s files.

This attack was particularly effective because RTCore64.sys is a legitimate driver, making it difficult for EDR tools to flag it as malicious.

Case Study 2: Lazarus Group and wgkrnl.sys

The Lazarus Group, a North Korean APT group, has been observed using wgkrnl.sys (a driver from WinGate) in espionage campaigns. The attack chain included:

1. Initial compromise via a zero-day exploit.
2. Loading wgkrnl.sys to gain kernel access.
3. Disabling EDR hooks to evade detection.
4. Exfiltrating sensitive data over an extended period.

This case highlights how nation-state actors are leveraging BYOVD for long-term persistence.

---

The Most Exploited Signed Drivers in 2026

Not all signed drivers are created equal—some have become favorites among attackers due to their widespread use and known vulnerabilities. Here are the top 5 most abused drivers in 2026:

Driver	Vendor	Vulnerability	Used By	CVE ID
RTCore64.sys	Micro-Star MSI	Arbitrary read/write	BlackByte, LockBit	CVE-2019-16098
gdrv.sys	Gigabyte	Privilege escalation	RobbinHood ransomware	CVE-2018-19320
PROCEXP152.sys	Microsoft (Process Explorer)	Kernel-mode execution	APT groups	CVE-2021-31956
AsIO.sys	ASUS	Memory corruption	Lazarus Group	CVE-2021-40528
WinRing0.sys	Open-source	Used in rootkits	Cryptojacking campaigns	N/A

Where Are Attackers Finding These Drivers?

• LOLDrivers.io – A community-driven list of abused drivers.
• Microsoft’s Vulnerable Driver Blocklist – Updated quarterly, but attackers often use older versions.
• GitHub – Some drivers are open-source, making them easy to modify for malicious purposes.

Emerging Threats: New Drivers Being Weaponized in 2026

While the drivers above remain popular, attackers are always looking for new targets. Recently, researchers have observed:

• NVIDIA drivers (e.g., nvlddmkm.sys) being exploited in cryptojacking campaigns.
• AMD drivers (e.g., amdkmdag.sys) used in privilege escalation attacks.
• Intel drivers (e.g., iqvw64e.sys) leveraged for kernel-mode execution.

---

How Attackers Disable EDR with BYOVD: A Full Attack Chain

To illustrate how BYOVD attacks unfold, let’s walk through a real-world attack scenario:

Phase 1: Initial Access

• The attacker sends a phishing email with a malicious attachment.
• The victim opens the attachment, executing a Cobalt Strike beacon or custom malware.

Phase 2: Driver Loading

• The attacker downloads RTCore64.sys (a vulnerable, signed driver) from a legitimate source.
• They use SharpLoader to load the driver into the kernel.
• Since the driver is signed, Windows allows it to load without raising alarms.

Phase 3: Privilege Escalation

• The attacker exploits CVE-2019-16098 (a vulnerability in RTCore64.sys) to gain arbitrary read/write access to kernel memory.
• They escalate privileges to SYSTEM, the highest privilege level in Windows.

Phase 4: EDR Evasion

• The attacker locates and terminates EDR processes (e.g., CrowdStrike Falcon, SentinelOne, Microsoft Defender ATP).
• They manipulate kernel callbacks to prevent EDR from reloading.
• They disable PatchGuard (Microsoft’s kernel protection mechanism) to avoid detection.

Phase 5: Persistence and Payload Execution

• The attacker installs a rootkit for long-term access.
• They deploy ransomware (e.g., BlackByte, LockBit) or exfiltrate data (in the case of APT groups).

Tools Used in BYOVD Attacks

Tool	Purpose
Mimikatz	Credential dumping
SharpLoader	Loading drivers into the kernel
EDRKill	Disabling EDR processes
Cobalt Strike	Command and control (C2)
Process Hacker	Terminating security processes

---

How to Detect and Mitigate BYOVD Attacks in 2026

Given the stealthy nature of BYOVD attacks, detection and mitigation require a multi-layered approach. Here’s how organizations can defend themselves:

Detection Strategies

1. Monitor Driver Loading

   • Use Windows Event ID 6 (Driver Load) to track driver loading events.
   • Deploy Sysmon (System Monitor) and configure Event ID 6 to log driver loads.
   • Example Sysmon configuration:

     <Sysmon schemaversion="4.90">
       <EventFiltering>
         <DriverLoad onmatch="include">
           <Image condition="contains">RTCore64.sys</Image>
           <Image condition="contains">gdrv.sys</Image>
         </DriverLoad>
       </EventFiltering>
     </Sysmon>
     

2. Behavioral Analysis

   • Look for unusual kernel-mode activity, such as:
     • Unexpected process termination (e.g., EDR processes being killed).
     • Driver unloading events (attackers may unload drivers after use).
     • Kernel callback manipulation (e.g., disabling PsSetCreateProcessNotifyRoutine).

3. EDR/XDR Rules

   • Configure EDR/XDR tools to alert on:
     • Signed drivers with known vulnerabilities (e.g., RTCore64.sys).
     • Processes attempting to load drivers from unusual locations (e.g., %TEMP%).

4. Threat Hunting Queries

   • Use KQL (Kusto Query Language) in Microsoft Defender ATP or SentinelOne to hunt for suspicious drivers:

     DeviceEvents
     | where ActionType == "DriverLoad"
     | where FileName has_any ("RTCore64.sys", "gdrv.sys", "PROCEXP152.sys")
     | project Timestamp, DeviceName, FileName, SHA256
     

Mitigation Best Practices

1. Block Known Vulnerable Drivers

   • Use Microsoft’s Vulnerable Driver Blocklist (updated quarterly).
   • Deploy Windows Defender Application Control (WDAC) to block unsigned or vulnerable drivers.
   • Example WDAC policy to block RTCore64.sys:

     <Deny ID="ID_DENY_RTCore64" FriendlyName="Block RTCore64.sys">
       <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="RTCore64.sys">
         <BinaryVersionRange LowSection="0.0.0.0" HighSection="999.999.999.999" />
       </FilePublisherCondition>
     </Deny>
     

2. Enable Hypervisor-Protected Code Integrity (HVCI)

   • HVCI prevents unsigned drivers from loading, even if they are signed.
   • Enable it via Group Policy or PowerShell:

     Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1
     

3. Restrict Driver Installation

   • Apply least-privilege principles to limit who can install drivers.
   • Use Group Policy to restrict driver installation to administrators only:

     Computer Configuration → Administrative Templates → System → Driver Installation → "Prevent installation of devices not described by other policy settings" → Enabled
     

4. Vendor-Specific Defenses

   • CrowdStrike Falcon: Enable OverWatch for detecting driver abuse.
   • Microsoft Defender ATP: Use Attack Surface Reduction (ASR) rules to block suspicious drivers.
   • SentinelOne: Leverage Deep Visibility for kernel-level monitoring.

5. Regularly Update and Patch Drivers

   • Ensure all drivers are up-to-date and patched against known vulnerabilities.
   • Use Windows Update or vendor-specific tools (e.g., NVIDIA GeForce Experience) to keep drivers current.

---

The Future of BYOVD Attacks: What’s Next in 2026 and Beyond?

BYOVD attacks are not going away—in fact, they’re likely to become more sophisticated in the coming months. Here’s what to watch for:

1. AI-Powered Driver Exploitation

• Attackers are beginning to use machine learning to:
  • Automate the discovery of new vulnerable drivers.
  • Generate polymorphic malware that evades signature-based detection.
  • Optimize attack chains for maximum stealth.

2. Supply Chain Attacks on Drivers

• Instead of relying on publicly known vulnerable drivers, attackers may:
  • Compromise driver vendors to inject malicious code into legitimate updates.
  • Target open-source drivers (e.g., WinRing0.sys) to introduce backdoors.

3. BYOVD in Cloud and Virtualized Environments

• As more organizations move to the cloud, attackers are exploring:
  • BYOVD in virtual machines (VMs) to escape guest OS restrictions.
  • Exploiting hypervisor drivers (e.g., VMware, Hyper-V) for cross-VM attacks.

4. Increased Use of Living-Off-the-Land Drivers (LOLDrivers)

• Attackers are shifting from custom malware to abusing legitimate drivers already present on systems.
• Example: PROCEXP152.sys (from Process Explorer) is a prime target due to its widespread use.

5. Regulatory and Vendor Responses

• Microsoft is likely to tighten driver signing policies, making it harder for attackers to abuse signed drivers.
• Security vendors (e.g., CrowdStrike, SentinelOne) are developing kernel-level detection to counter BYOVD attacks.
• Governments may introduce new regulations requiring stricter driver validation.

---

How GhostShield VPN Can Help Mitigate BYOVD Risks

While BYOVD attacks primarily target on-premises and enterprise environments, the principles of defense-in-depth apply to all users. GhostShield VPN enhances your security posture by:

1. Encrypting Your Traffic

   • Even if an attacker gains access to your system via a BYOVD attack, GhostShield’s military-grade encryption (ChaCha20/Poly1305) ensures your data remains secure.

2. Preventing Initial Access

   • Many BYOVD attacks start with phishing or malware delivery. GhostShield’s DNS leak protection and kill switch help prevent accidental exposure of your real IP, reducing the risk of targeted attacks.

3. Bypassing Censorship and Geo-Restrictions

   • Some BYOVD attacks originate from malicious downloads on untrusted networks. GhostShield’s obfuscated servers help you access content safely, even in restrictive regions.

4. Protecting Against Lateral Movement

   • If an attacker compromises one device, GhostShield’s split tunneling can limit exposure by ensuring only selected traffic is routed through the VPN, reducing the attack surface.

---

Key Takeaways

• BYOVD attacks are surging in 2026, with attackers exploiting 35+ signed vulnerable drivers to bypass EDR tools.
• Top abused drivers include RTCore64.sys, gdrv.sys, PROCEXP152.sys, AsIO.sys, and WinRing0.sys.
• Attackers use BYOVD to disable EDR, escalate privileges, and establish persistence before deploying ransomware or exfiltrating data.
• Detection requires monitoring driver loading, behavioral analysis, and EDR/XDR rules.
• Mitigation strategies include blocking vulnerable drivers, enabling HVCI, restricting driver installation, and using vendor-specific defenses.
• The future of BYOVD attacks may involve AI-powered exploitation, supply chain attacks, and cloud-based threats.
• GhostShield VPN enhances security by encrypting traffic, preventing initial access, and protecting against lateral movement.

---

Final Thoughts

BYOVD attacks represent a significant evolution in cyber threats, blending legitimate software with malicious intent. As attackers continue to refine their techniques, organizations must adapt their defenses to stay ahead.

By monitoring driver activity, blocking known vulnerable drivers, and leveraging advanced EDR/XDR solutions, you can significantly reduce the risk of a BYOVD attack. And for everyday users, tools like GhostShield VPN provide an additional layer of protection in an increasingly dangerous digital landscape.

Stay vigilant, stay updated, and never underestimate the creativity of cybercriminals.