VERY IMPORTANT

In early February 2026, an intrusion was detected where threat actors exploited compromised SonicWall SSLVPN credentials for initial network access. The attackers deployed an EDR killer utilizing a legitimate but revoked EnCase forensic driver to terminate security processes from kernel mode. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), bypasses Windows Driver Signature Enforcement. The attack was halted before ransomware deployment, but it highlights the growing trend of weaponizing signed, legitimate drivers to disable endpoint security. The intrusion involved aggressive network reconnaissance, deployment of a sophisticated EDR killer with an encoded kernel driver payload, and attempts to establish persistence. The case underscores the importance of multi-factor authentication, VPN log monitoring, and implementing Microsoft's recommended driver block rules.