Advanced Persistent Threat (APT) groups continue to improve their tactics to bypass or disable Endpoint Detection and Response (EDR) solutions. These groups use more advanced techniques, like direct system calls, process injection, kernel tampering, and BYOVD (Bring Your Own Vulnerable Driver) attacks, to evade detection. As security vendors enhance EDR capabilities, attackers are finding new ways to work around them, creating ongoing challenges for defenders.
APT Groups Focused on EDR Bypass and Disabling Protections
1. FIN7 (Carbanak Group) – Leveraging BYOVD Techniques
FIN7 is a financially motivated APT group that uses the BYOVD technique to disable EDR protections before carrying out their attacks. They use tools like AuKill to take advantage of outdated drivers, giving them full access to the system and disabling security tools like EDRs.
How They Do It:
- Exploiting Vulnerable Drivers:
FIN7 uses signed but vulnerable drivers (like RTCore32.sys and RTCore64.sys) to gain access to the kernel and disable security tools.
- Modifying Kernel Structures:
They manipulate kernel structures to hide malicious processes and evade detection.
Attack Flow
Deploying Ransomware Payloads: Once defences are disabled, FIN7 deploys ransomware or steals credentials undetected.
Recent Activity:
- Q1 2025: FIN7 started targeting telecommunications and financial services and shifted to hybrid extortion (data theft + ransomware).
2. RansomHub – Abusing Legitimate Security Tools
RansomHub is a growing ransomware group that uses legitimate security tools to bypass EDR and antivirus software.
How They Do It:
- Weaponising TDSSKiller for EDR Termination:
They use TDSSKiller, a tool for removing rootkits, to terminate EDR and antivirus software instead of removing drivers.
Attack Flow:
- Running TDSSKiller in Debug Mode:
This mode allows attackers to disable EDR processes without triggering alarms.
- Exploiting Admin Privileges:
When admin access is gained, attackers use TDSSKiller to disable security mechanisms without introducing malware artifacts.
- Advanced Process Injection Techniques: RansomHub uses methods like DLL Injection and Process Hollowing to hide their payloads within trusted processes, making detection harder.
Techniques Used:
-DLL Injection
-Process Hollowing
-Thread Execution Hijacking
-Code Obfuscation:
- Uses polymorphic techniques and encryption to evade static and dynamic analysis.
- Polymorphic Malware
- Self-modifying code that changes its structure with each execution to evade signature-based detection.
- Encrypted Payloads
- Encrypts malicious binaries using AES-256, decrypting them only in memory to avoid static detection.
Recent Activity:
- Mid-2024 to 2025: RansomHub shifted to targeting supply chain vendors and using compromised software updates to spread ransomware.
- UNC3944 – Leveraging Living-Off-the-Land (LOLBAS) Techniques
UNC3944 uses legitimate system tools to execute malicious payloads, maintaining persistence and moving laterally within networks while avoiding detection.
Tactics Used:
Abusing System Tools for Execution and Lateral Movement
UNC3944 weaponizes legitimate Windows utilities to execute malicious payloads, establish persistence, and move laterally within networks while evading detection.
How They Do It:
- PowerShell Abuse:
UNC3944 runs obfuscated scripts to download malicious payloads and make changes to system settings.
- WMI for Remote Execution:
They use Windows Management Instrumentation (WMI) to run processes remotely without leaving traces on disk.
- Reflective DLL Injection:
This technique allows UNC3944 to load malicious code directly into memory, bypassing disk-based detection.
Reflective DLL Injection for Memory-Resident Malware
To avoid creating disk-based artifacts, UNC3944 uses Reflective DLL Injection, allowing them to load malicious DLLs directly into memory.
Inline Syscall Obfuscation to Evade EDR Detection
UNC3944 employs inline syscall obfuscation to bypass API hooks implemented by EDR solutions, ensuring stealthy execution.
Recent Activity:
- Late 2024 to 2025: UNC3944 started targeting cloud service providers and manipulating identity-based access systems.
- Lazarus Group – Advanced Hooking and Kernel Exploits
Lazarus Group, a North Korean-backed APT, continues refining its techniques for evading detection. They target high-value industries, often using fileless malware that operates entirely in memory.
How They Do It:
- IAT Hooking for Stealthy API Redirection:
Lazarus intercepts system calls to hide malicious behaviour from security tools.
- Bypassing Kernel Patch Protection (KPP):
Lazarus uses vulnerable drivers to bypass KPP and disable security protections at the kernel level.
Steps in the Attack:
- Identifying the Target Process:
The malware enumerates processes using EnumProcesses() or NtQuerySystemInformation() to locate security tools or cryptocurrency wallets.
- Modifying the IAT Table:
The attack manipulates the Import Address Table (IAT) of the targeted process by:
- Retrieving function addresses via GetProcAddress().
- Replacing the original API function pointer with a pointer to a malicious function.
- Redirecting API Calls to Malicious Functions:
Instead of executing legitimate system calls, the hooked function:
- Hides malicious files from forensic tools.
- Redirects authentication requests to Lazarus-controlled endpoints.
- Interferes with security monitoring tools by injecting false data.
4.Maintaining Persistence:
By hooking APIs responsible for event logging (NtWriteFile, NtOpenProcess), Lazarus ensures its activities remain undetected by SIEM and EDR solutions.
Bypassing Kernel Patch Protection (KPP) for EDR Evasion
Kernel Patch Protection (KPP), also known as PatchGuard, prevents unauthorised modifications to Windows kernel structures. Lazarus Group has developed custom exploits to bypass KPP, allowing them to disable security mechanisms at the kernel level.
Steps in the Attack:
- Escalating Privileges via Exploiting Vulnerable Drivers:
Lazarus loads a vulnerable driver, like Zemana AntiMalware, to gain access to the kernel.
- Disabling KPP:
They modify critical kernel structures to bypass PatchGuard, allowing them to tamper with security drivers and inject rootkits.
- Persistence via Bootkits:
Lazarus implants bootkits that execute before Windows loads, ensuring persistence even after reboots.
- Polyglot Malware for Signature Evasion:
Lazarus uses polyglot malware that hides malicious code within encrypted payloads, evading detection by traditional security tools.
How It Works:
- Encoding and Packing Malware Payloads:
Lazarus encrypts the payload with AES-256 and hides it in benign file formats like PDFs or images.
- Multiple Code Layers:
The malware shifts execution between multiple code formats, making it harder to detect.
- Polymorphic Adaptation:
The malware dynamically rewrites itself to ensure each variant has a unique signature.
AI-Powered Malware for Real-Time Evasion
Lazarus integrates machine learning (ML) into their malware, enabling it to adapt to its environment and evade detection in real-time.
Steps in AI-Powered Malware Execution:
- Environmental Awareness:
The malware detects virtual machines, short uptimes (sandboxes), and the presence of analysis tools.
- Self-Modifying Code:
The malware alters its execution flow, encrypts functions on the fly, and delays execution to avoid detection.
- Adaptive Payload Execution:
AI-driven decision trees help the malware choose between executing ransomware, spyware, or credential theft based on the infected system’s profile.
- Behaviour-Based Detection Evasion:
If the malware detects EDR, it switches execution methods to bypass behavioural analysis.
Recent Activity:
- 2025: Lazarus targeted cryptocurrency exchanges and defence contractors using fileless malware that injects directly into memory to evade forensic analysis.
Defensive Strategies Against Advanced EDR Evasion
To combat these advanced evasion techniques, defenders need proactive defence mechanisms:
- Kernel-Level Monitoring:
- Use Sysmon and EDR solutions with kernel telemetry to detect unauthorised driver loads and API modifications.
- Driver Allow-Listing:
- Ensure only trusted, signed drivers are allowed, and block known vulnerable drivers.
- Endpoint Behaviour Analytics (EBA):
- Look for unusual behaviour in process execution chains, such as unexpected parent-child relationships.
- Threat Intelligence Integration:
- Use automated threat intelligence feeds to proactively block APT-related Indicators of Compromise (IOCs).
- Multi-Layered Defence Strategy:
- Implement a zero-trust security model with strict access controls, network segmentation, and regular red-teaming exercises.
Anticipated APT Trends for 2025
Looking ahead, security researchers predict the following trends in APT techniques:
- AI-Powered Malware:
Attackers will increasingly use machine learning-based polymorphic malware that adapts to its environment to evade detection.
- Cloud EDR Bypass:
APTs will target cloud-native security solutions, manipulating identities and APIs to avoid detection.
- Supply Chain Infiltration:
APT groups may hide malicious code in software updates, bypassing traditional security measures.
- Self-Erasing Malware:
Malware may erase itself after execution, leaving no trace for forensic analysis.
- Exploiting Hardware-Level Vulnerabilities:
Attacks may move beyond software, targeting vulnerabilities in firmware, BIOS, and microcode.
As APT groups refine EDR bypass techniques, defenders must adopt AI-driven detection, behavioural monitoring, and kernel-level protections. Signature-based defences alone are insufficient. Organisations need proactive security and continuous adaptation to stay ahead in the evolving 2025 threat landscape.
CybaVerse’s expert cyber security team can help businesses strengthen their endpoint protection, detect advanced evasion techniques, and respond quickly to emerging threats. If you'd like to a member of our team about your cyber security strategy and how to strengthen it, contact us today and someone will be in touch.