216.73.217.64

Not very gentlemanly: Analyzing a zero-day exploit used to disable targets' EDRs

· Published 30/06/2026 18:35

Export JSON

Essential information

Published
30/06/2026 18:35
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
byovd edr killer endpoint protection bypass kernel exploit kontron driver ktapi.sys ransomware the gentlemen zero-day
Related entities
3 indicators, 1 intrusion sets (apt), 18 techniques (mitre)

Description

group, which emerged in July 2025, employed a vulnerability in a bring-your-own-vulnerable-driver () attack to disable endpoint detection and response systems. During an incident investigated in early April, the group leveraged an obscure third-party driver named ktapi.sys from Kontron to bypass security protections. The sophisticated exploit chains multiple advanced techniques to navigate Windows exploit mitigations, including bypassing Supervisor Mode Access Prevention and Supervisor Mode Execution Prevention. The toolkit enables the attackers to call privileged kernel mode functions from user mode processes, ultimately terminating EDR processes including Windows Defender, ESET, Palo Alto Cortex XDR, and SentinelOne. The vulnerability had no prior public documentation and was previously absent from vulnerable driver blocklists.

External references