// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-10DTG 0600Z
Endpoint Security Vendor

Kaspersky

10 PUBLIC SECURITY EVENTS ON FILE · 2023-06-01 — 2026-04-14

Publicly-known security events concerning Kaspersky — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Kaspersky sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Kaspersky competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 5 incidents · 2 research pocs · 3 vuln disclosures.

2026-04-14
incident
JDownloader Supply-Chain Attack Deploys r77 Rootkit and WDAC Policy to Disable AntivirusJDownloader Supply-Chain Attack with r77 Rootkit and WDAC Policy
Attackers compromised the official JDownloader website and replaced download links with trojanized installers. The malicious installer deploys a Python bot, an r77 rootkit, and a WDAC policy that blocks 50 security executables from running, effectively killing antivirus protection. The attack uses dead-drop resolvers for resilient C2 communication.
2026-03-24
incident
HwAudKiller BYOVD Campaign Exploits Huawei Audio Driver to Terminate EDR ProcessesHwAudKiller
A malvertising campaign since January 2026 uses fraudulent Google ads to deliver a kernel-mode EDR terminator named HwAudKiller. It exploits a previously undocumented vulnerability in the signed Huawei driver HWAuidoOs2Ec.sys to terminate 23 security products from ring-0, bypassing user-mode protections. The campaign has compromised over 60 victims, enabling credential theft and lateral movement.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-01-07
research poc
Nyx-BlindEdr: Proof-of-Concept EDR Blinding Tool ReleasedBlindEdr
A new open-source tool named Nyx-BlindEdr has been published on GitHub, designed to blind Endpoint Detection and Response (EDR) systems by clearing kernel callbacks. The project is intended for educational purposes and demonstrates a technique to disable security product functionality on Windows.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
2024-04-22
vuln disclosure
Microsoft Defender and Kaspersky EDR File Deletion Vulnerabilities DisclosedCVE-2023-24860
SafeBreach researchers disclosed vulnerabilities in Microsoft Defender and Kaspersky EDR that allow attackers to remotely delete legitimate files by inserting malware byte signatures into them, causing false-positive detections. Microsoft issued patches (CVE-2023-24860, CVE-2023-3601) but initial fixes were bypassed, while Kaspersky acknowledged the issue as a design limitation. The flaws highlight risks in signature-based detection and the difficulty of fully mitigating such design-level weaknesses.
2023-10-18
incident
MATA Malware Framework Exploits EDR in Attacks on Defense FirmsMATA EDR Exploitation
Between August 2022 and May 2023, an updated MATA backdoor framework targeted defense and oil/gas firms in Eastern Europe via spear-phishing. Attackers gained access to endpoint security admin panels and used them to surveil infrastructure and distribute malware. They bypassed EDR using a public exploit for CVE-2021-40449 (CallbackHell) and BYOVD techniques.
2023-09-13
vuln disclosure
ALPC Port Blocking Vulnerability Affects Multiple Windows EDR AgentsCVE-2023-3280
A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR. The affected EDRs fail to handle the case where the port is already in use, causing user-mode components to crash or become non-functional. Kernel components remain running but lose detection/blocking capabilities in most cases.
2023-08-11
vuln disclosure
Researchers Uncover Remote File Deletion Vulnerabilities in Multiple EDR ProductsEDR Remote File Deletion via Malicious Signature Injection
SafeBreach Labs researchers discovered vulnerabilities in several EDR products that allow remote deletion of critical files and databases without authentication. By inserting minimal malicious signatures into files like web server logs, attackers can trick EDRs into automatically deleting the file, leading to data loss and denial of service. The research was presented at Black Hat USA 2023.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Kaspersky ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →