incident
Threat Actors Exploit Checkpoint ZoneAlarm Driver in BYOVD Attack to Bypass Windows SecurityBYOVD via Checkpoint vsdatant.sys
Attackers used a vulnerable Checkpoint ZoneAlarm driver (vsdatant.sys) in a Bring Your Own Vulnerable Driver (BYOVD) attack to gain kernel-level privileges, bypass Windows Memory Integrity, and disable endpoint security. The driver's valid digital signature allowed it to evade detection by EDR solutions. The attack enabled persistent RDP access and credential theft.