CrowdStrike evasion spotted in Ransomware‑ISAC

A Windows kernel driver is at the center of this one — and that matters because kernel access is where attackers can start turning security tools half-blind. Ransom‑ISAC’s April 22, 2026 writeup says a driver named `dragoncore_k.sys` was being used as a bring-your-own-vulnerable-driver, or BYOVD, route to neutralize protections including CrowdStrike. The basic problem is simple: if an attacker gets trusted code into the kernel, the attacker can mess with the software that is supposed to catch them. That is the gap this report is pointing at. (ransom-isac.org) ### What is `dragoncore_k.sys`? It is a Windows kernel-mode driver that Ransom‑ISAC says was signed by Zhengzhou 403 Network Technology Co., Ltd. with a valid Microsoft WHQL signature. The report lists the SHA‑256 hash as `1da4f7f001d239a54fab50eb7c3cbc985db392a3d4405e19c3a5d2035d591004` and describes the issue as a “0-day / BYOVD” vulnerability class. In plain English, (ransom-isac.org)illing to load because it looked legitimate enough at the signing layer. (ransom-isac.org) ### Why does a signed driver matter so much? Because Windows treats kernel drivers differently from normal user-space programs. Once code is running in the kernel, it has much deeper privileges. CrowdStrike’s own material has been making this point for years: attackers use vulnerable but legitimately signed drivers to perform privileged operations, bypass EDR anti-tamper(ransom-isac.org)sically, the signature gets them in the door, and the vulnerability does the damage. (crowdstrike.com) ### What was Ransom‑ISAC actually claiming? The report says `dragoncore_k.sys` enabled a protected process light, or PPL, bypass and “EDR neutralization.” That is the key phrase here. PPL is one of the Windows mechanisms that helps shield sensitive security processes from tampering. If an attacker can get around that, the endpoint produc(crowdstrike.com)ous than a generic malware sample. It is an attempt to disarm the guard before the rest of the intrusion unfolds. (ransom-isac.org) ### Is this a new trick? The trick is not new. The specific driver appears to be. BYOVD has been growing fast because it solves a hard attacker problem — how to get kernel privileges without writing an obviously malicious unsigned driver from scratch. CrowdStrike said in a December 2024 intrusion case that adversaries brought six vulnerable drivers in one operation speci(ransom-isac.org)e is the named driver, the claimed 0-day angle, and the attribution Ransom‑ISAC attached to it. (crowdstrike.com) ### Who did Ransom‑ISAC tie it to? Ransom‑ISAC attributes the activity with high confidence to Dragon Breath, also tracked as APT‑Q‑27, and adds a medium-confidence link to an APT31/Wuhan Xiaoruizhi personnel nexus. That is a strong attribution claim, and it goes beyond “we saw a bad driver.” It frames the driver as part of a broader intrusion ecosystem tied to a known China-linked threat cluster. (ransom-isac.org) ### Why does CrowdStrike specifically come up here? Because EDR products live and die on visibility and tamper resistance. If the attacker reaches kernel space first, the attacker can interfere with the sensor’s ability to observe behavior, protect its own processes, or stop follow-on actions. CrowdStrike has said newer Falcon sensor releases added protections against vu(ransom-isac.org)use is one of the cleanest ways to attack the watchdog. (crowdstrike.com) ### What should defenders take from this? Treat this as a driver trust problem, not just a malware IOC problem. Blocking the hash helps, but the bigger fix is making sure Microsoft’s vulnerable driver blocklist, endpoint sensor protections, and telemetry around driver loads are actually turned on and current. If your detections mostly start after user-mode malware runs, you are already late against this kind of intrusion. (ransom-isac.org) ### Bottom line? This story is really about where the fight is moving. Attackers are not just trying to sneak past endpoint tools anymore — they are trying to reach into the kernel and weaken the tools first. `dragoncore_k.sys` matters because it is another reminder that “signed” does not mean “safe,” and that the fastest way around EDR is often straight through the Windows driver stack. (ransom-isac.org)