Unit 42 investigated an extortion attempt where threat actors tested an AV/EDR bypass tool on rogue systems with Cortex XDR installed. The actors purchased network access via Atera RMM and used a BYOVD technique for the bypass tool. Researchers gained visibility into the actors' systems, uncovering tools, files, and identifying information. The bypass tool was traced to cybercrime forum posts by user KernelMode. Analysis revealed connections to Conti ransomware training materials and overlaps with known TTPs. A Kazakh company and individual were linked to the activity through exposed documents and video artifacts. The incident highlights the growing trend of AV/EDR bypass tools and the monetization of such capabilities in cybercrime forums.