EDR Killers in 2026: The most common ways attackers neutralize endpoint security — and how to stop them
Publish date: 21 February 2026Category: Threat Intelligence / Defense Evasion / Endpoint SecurityTags: EDR, XDR, ransomware, defense evasion, BYOVD, Windows drivers, tamper protection, detection engineering Executive summary “EDR killers” are…
BYOVD in 2026: the signed-driver loophole powering EDR bypass at scale
Last updated: 21 February 2026 (Europe/London) 1. Executive Summary Bring Your Own Vulnerable Driver (BYOVD) is a post-compromise technique where attackers load a legitimately signed (but vulnerable) kernel driver and…
APT29 (Cozy Bear / The Dukes / Midnight Blizzard) – Threat Actor Profile
APT29, also known as Cozy Bear, is a Russian hacker group believed to be affiliated with one or more Russian intelligence agencies. The group has been operating for the Russian…
APT28 (Fancy Bear / Sofacy / Sednit / Forest Blizzard) – Threat Actor Profile
1. Executive Summary APT28 is a long-running Russian state-aligned cyber espionage actor widely attributed to the GRU’s 85th Main Special Service Center (GTsSS), military unit 26165, active since at least…
APT31 (Violet Typhoon / ZIRCONIUM) – Threat Actor Profile
At-a-glance Attribute Assessment Primary tracking name APT31 (widely used in government and industry reporting) (Department of Justice) Notable aliases Violet Typhoon / ZIRCONIUM (Microsoft), JUDGMENT PANDA (CrowdStrike) (Microsoft Learn) Suspected…
Threat Actor Profile: Cl0p (CL0P) — Extortion-led Mass Compromise
1. Executive Summary Cl0p (often written “CL0P”) is a financially motivated extortion operation best known for high-scale data theft campaigns that disproportionately impact organisations running internet-facing Managed File Transfer (MFT)…
Threat Actor Profile: LAPSUS$ (a.k.a. Microsoft “DEV-0537” / “Strawberry Tempest”)
1. Executive Summary LAPSUS$ is an extortion-focused cybercriminal collective best known for high-tempo intrusions against large enterprises and service providers, frequently leveraging social engineering and identity compromise rather than exploiting…
UNC6201 Targets Dell RecoverPoint (CVE-2026-22769): Evolving Backdoors and Novel VMware Pivot Techniques
Mandiant and Google Threat Intelligence Group (GTIG) have released critical findings regarding UNC6201, a suspected PRC-nexus threat cluster. This group has been actively exploiting a Dell RecoverPoint for Virtual Machines…
CVE-2026-20841 — Windows Notepad (Store app) Markdown Link Handling Leads to Command Injection / Code Execution
1. Executive Summary CVE-2026-20841 is a high-severity command injection flaw in the modern Windows Notepad (Microsoft Store) application that can result in arbitrary code execution in the context of the…
Microsoft February 2026 Patch Tuesday — key takeaways
Microsoft’s February 2026 Patch Tuesday shipped fixes for 58 vulnerabilities, including six zero-days confirmed as actively exploited and three publicly disclosed issues. Microsoft also fixed five “Critical” flaws in this…