// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-10DTG 0600Z
ColdRecon / Competitor Intel / BitDefender
Endpoint Security Vendor

BitDefender

10 PUBLIC SECURITY EVENTS ON FILE · 2023-06-01 — 2025-12-07

Publicly-known security events concerning BitDefender — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What BitDefender sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

BitDefender competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 7 research pocs · 2 incidents · 1 vuln disclosure.

2025-12-07
research poc
CLR-Unhook Tool Restores Original nLoadImage to Bypass EDR .NET Assembly ScanningCLR-Unhook
A new proof-of-concept tool named CLR-Unhook removes security product hooks from the nLoadImage function in clr.dll, restoring the original CLR behavior. This allows in-memory .NET assembly loads via Assembly.Load(byte[]) to execute without EDR inspection or scanning, bypassing products like CrowdStrike, Bitdefender, and SentinelOne.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-05-30
incident
Conti Ransomware Gang Leaks Internal EDR Evasion Tier ListConti EDR Tier List Leak
The Conti ransomware group leaked an internal ranking of endpoint detection and response (EDR) products based on their ease of bypass during real-world attacks. The list places Microsoft Defender for Endpoint, McAfee, and Webroot in the lowest tier, while CrowdStrike is ranked highest. The leak highlights that even top-tier EDRs can be evaded, especially when poorly configured, and underscores the importance of defense-in-depth and proper security tool configuration.
2024-11-26
research poc
SEGRUN: Userland Unhooking via Exception Handlers to Bypass EDRSEGRUN
A new technique called SEGRUN uses exception handlers to bypass userland EDR hooks by corrupting the EDR DLL's memory permissions, triggering exceptions on trampoline access, and redirecting execution via ROP to skip monitoring code. This allows evasion of endpoint detection without disrupting the target process.
2024-06-26
research poc
Signature-Based EDR Bypass Using XOR-Encrypted Shellcode in GoXOR-Encrypted Shellcode Loader
A red team article demonstrates bypassing signature-based detection in Windows Defender and Bitdefender by encrypting Meterpreter shellcode with XOR and executing it via a custom Go loader. The technique evades static signatures by obfuscating the payload, allowing execution on a live system. This highlights a common evasion method that relies on the absence of runtime behavioral detection.
2024-05-26
research poc
BOAZ Multilayered AV/EDR Evasion Framework ReleasedBOAZ
BOAZ is a modular evasion framework that combines signature, heuristic, and behavioral bypass techniques to generate undetectable payloads. It was tested against 14 desktop AVs and 7 EDRs, including Sophos, Windows Defender, and ESET. The tool serves as both an evasion testing utility and a packer/obfuscator for researchers.
2024-05-08
research poc
Dirty Vanity EDR Bypass Technique Published as Proof-of-ConceptDirty Vanity
A proof-of-concept repository named DV_NEW combines multiple evasion techniques under the name Dirty Vanity to bypass endpoint detection and response (EDR) systems. It uses direct syscalls, dynamic syscall number resolution, and an egg-hunting technique to patch syscall instructions at runtime, evading user-mode hooks and static analysis. The author claims successful bypass of Bitdefender and Microsoft Defender for Endpoint.
2024-04-09
vuln disclosure
CVE-2024-2224: Bitdefender Endpoint Security UpdateServer Path Traversal RCECVE-2024-2224
CVE-2024-2224 is a critical path traversal vulnerability in the UpdateServer component of Bitdefender GravityZone. It allows remote unauthenticated attackers to execute arbitrary code on affected endpoint security products and the on-premises management console. The flaw stems from insufficient validation of file path inputs, enabling attackers to write malicious files outside restricted directories.
2024-03-22
research poc
HookChain EDR Evasion Framework ReleasedHookChain
A new open-source evasion framework named HookChain has been published, designed to bypass Endpoint Detection and Response (EDR) solutions. It uses IAT hooking, dynamic system service number resolution, and indirect system calls to hide malicious payloads. The tool claims to evade detection by several major EDR products.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

BitDefender ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →