Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
EDRSilencer was originally developed as a red team tool, but this article documents the first observed cases of it being weaponized by real threat actors in the wild. The tool abuses the Windows Filtering Platform (WFP) — a legitimate Windows networking framework — to silently block EDR telemetry from reaching its cloud console. By inserting WFP filters, attackers effectively blind security teams without triggering alerts or crashing the EDR process. This research covers the technical mechanism, affected EDR products, detection strategies using ETW and kernel callbacks, and mitigation approaches. The article gained significant industry attention and was widely cited.
Related Research
Chaos Ransomware Leverages Advanced Anti-EDR Techniques
Thread analyzing the Chaos ransomware campaign leveraging malicious DLL sideloading and kernel-level driver deployment for broad defense evasion against EDR solutions.
Agenda Ransomware Adopts TrueSightKiller for EDR Evasion
Thread detailing how the Agenda ransomware group incorporated the open-source TrueSightKiller tool to disable antivirus and EDR systems via BYOVD techniques.
Proactive Security for CVE-2025-53770 and CVE-2025-53771 SharePoint Attacks
Provided proactive security analysis of CVE-2025-53770 and CVE-2025-53771 — SharePoint vulnerabilities enabling unauthenticated remote code execution.