Threat actors are actively leveraging compromised SonicWall SSLVPN credentials to breach networks and deploy a sophisticated “EDR killer” that can blind endpoint security solutions.
In a campaign analyzed by Huntress in early February 2026, attackers utilized valid VPN accounts to gain initial access before executing a Bring Your Own Vulnerable Driver (BYOVD) attack using a revoked Guidance Software (EnCase) forensic driver.
This technique allows them to terminate critical security processes from the kernel level, effectively bypassing standard protections.
The intrusion began with the threat actor authenticating to a SonicWall SSLVPN using compromised but valid credentials, bypassing the need for brute-force attacks.
Huntress identified the successful login originating from the malicious IP address 69.10.60[.]250. Just one minute earlier, logs captured a failed portal login attempt from a different IP, 193.160.216[.] 221, where the account lacked sufficient privileges.
Once inside the network, the attacker immediately initiated aggressive reconnaissance. SonicWall IPS alerts recorded high-volume activity, including ICMP ping sweeps and NetBIOS probes.
The attacker also triggered SYN flood behavior, generating traffic exceeding 370 SYNs/second as they mapped the internal environment.
The EDR Killer Payload
The core of the attack involved a 64-bit Windows executable designed to deploy a malicious kernel driver. To evade static analysis, the malware authors implemented a custom encoding scheme that concealed the driver payload using a wordlist substitution cipher.
Instead of standard encryption, the binary used a 256-word dictionary where English words represented specific byte values, for instance, “about” decoding to 0x00 and “block” to 0x4D.
When executed, the malware decodes this “text” back into a valid Windows PE file and drops it to C:ProgramDataOEMFirmwareOemHwUpd.sys.
The malware then applies anti-forensic techniques, such as “timestomping,” by copying timestamps from the legitimate ntdll.dll to the malicious driver to blend in with system files. The payload registers itself as a kernel service named “OEM Hardware HAL Service” to ensure persistence across reboots.
The attack relies on a known gap in Windows Driver Signature Enforcement (DSE). The deployed driver is a legitimate component of Guidance Software’s EnCase forensic suite (EnPortv.sys), signed with a certificate that expired in 2010 and was subsequently revoked.
Despite the revocation, Windows loads the driver because the kernel primarily validates the cryptographic integrity of the signature rather than checking the Certificate Revocation List (CRL) during boot.
Because the driver was timestamped by a trusted authority before the certificate expired, it meets Microsoft’s legacy exception for drivers signed prior to July 29, 2015. This allows the attacker to load the driver successfully and expose an IOCTL interface (0x223078) to user-mode processes.
Once loaded into the kernel, the driver grants the attacker the ability to terminate processes protected by mechanisms like Protected Process Light (PPL). The malware targets a hardcoded list of 59 processes associated with major security vendors, including Microsoft Defender, CrowdStrike, SentinelOne, and Carbon Black.
The kill loop runs continuously with a one-second sleep interval to ensure that any restarting security services are immediately terminated again.
| Type | Value | Description |
|---|---|---|
| File Path | C:ProgramDataOEMFirmwareOemHwUpd.sys | Location where the malicious driver is dropped |
| Service Name | OemHwUpd | Kernel service created for persistence |
| Service Display Name | OEM Hardware HAL Service | Disguised service name to blend with legitimate tools |
| IPv4 Address | 69.10.60[.]250 | Source IP for successful VPN authentication |
| IPv4 Address | 193.160.216[.]221 | Source IP for failed portal login attempt |
| SHA-256 | 3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0 | Vulnerable EnCase forensic driver (OemHwUpd.sys) |
| SHA-256 | 6a6aaeed4a6bbe82a08d197f5d40c2592a461175f181e0440e0ff45d5fb60939 | EDR killer binary masquerading as svchost.exe |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
