Threats Tagged 'byovd'
View all threats tagged with 'byovd'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'byovd'
Click on any threat for detailed analysis and mitigation recommendations
GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses 0 GodDamn ransomware represents the third iteration of ransomware developed by Hyadina, following Monster (2022) and Beast (2024). A recent attack in June 2026 demonstrates sophisticated tactics including AnyDesk for remote access, NirSoft-based credential harvesting tools, and the PoisonX kernel driver for defense evasion. PoisonX is a malicious driver signed by Microsoft that terminates security processes at the kernel level. Attackers used PsExec for lateral movement, deployed comprehensive credential theft toolkits comprising 14 different tools, and disabled endpoint defenses before encrypting files. The encrypted files were renamed with victim organization names as extensions. The four-day dwell period allowed attackers to stage payloads and conduct reconnaissance before triggering encryption across at least 10 hosts within the targeted organization. Join the discussion | AlienVault OTX General | 07/09/2026, 12:53:27 UTC Added: 07/10/2026, 07:32:34 UTC |
Not very gentlemanly: Analyzing a zero-day exploit used to disable targets' EDRs 0 The Gentlemen ransomware group, which emerged in July 2025, employed a zero-day vulnerability in a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint detection and response systems. During an incident investigated in early April, the group leveraged an obscure third-party driver named ktapi.sys from Kontron to bypass security protections. The sophisticated exploit chains multiple advanced techniques to navigate Windows exploit mitigations, including bypassing Supervisor Mode Access Prevention and Supervisor Mode Execution Prevention. The toolkit enables the attackers to call privileged kernel mode functions from user mode processes, ultimately terminating EDR processes including Windows Defender, ESET, Palo Alto Cortex XDR, and SentinelOne. The vulnerability had no prior public documentation and was previously absent from vulnerable driver blocklists. Join the discussion | AlienVault OTX General | 06/30/2026, 16:35:05 UTC Added: 07/01/2026, 07:21:30 UTC |
The Gentlemen are knocking: сustom backdoors and evolving tactics 0 The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through BYOVD techniques using vulnerable drivers, and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors. Join the discussion | AlienVault OTX General | 06/29/2026, 11:01:00 UTC Added: 06/30/2026, 06:51:30 UTC |
Showing 1 to 3 of 3 results