Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Home/CyberSecurity News/New EDRStartupHinder Tool blocks antivirus and EDR services at startup on Windows 11 25H2 Defender
CyberSecurity News

New EDRStartupHinder Tool blocks antivirus and EDR services at startup on Windows 11 25H2 Defender

This week, security researcher TwoSevenOneT unveiled EDRStartupHinder. The researcher is notable for creating other EDR evasion tools, including EDR-Freeze and EDR-Redir. The tool blocks antivirus...

Marcus Rodriguez
Marcus Rodriguez
January 12, 2026 2 Min Read
37 0

This week, security researcher TwoSevenOneT unveiled EDRStartupHinder. The researcher is notable for creating other EDR evasion tools, including EDR-Freeze and EDR-Redir.

The tool blocks antivirus and EDR services at startup by redirecting critical System32 DLLs via Windows Bindlink, demonstrated on Windows Defender in Windows 11 25H2.​

Antivirus and EDR services operate like standard Windows services but with enhanced protection from kernel drivers.

They run under SYSTEM privileges, auto-start on boot, and use Protected Process Light (PPL) to prevent user-mode tampering. Configuration changes in user mode fail, and processes resist modification without advanced techniques such as EDR-Freeze.

Bindlink Startup Disruption

Previous techniques, like EDR-Redir, redirected EDR folders post-startup, but vendors hardened against them. EDRStartupHinder preempts this by targeting System32, which is essential for all processes, including EDRs.

EDRStartupHinder Tool
EDRStartupHinder Tool

Steps include creating a higher-priority service, Bindlinking a core DLL to an unsigned “corrupted” copy, leveraging PPL to crash the EDR on load failure, and cleaning up post-termination.

Service priority draws from BYOVD research, checking HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceGroupOrder. The DLL must avoid the KnownDLLs preload list, identifiable via Process Monitor.

Available on GitHub, EDRStartupHinder takes parameters: OriginalLib (System32 DLL), FakeLib (copy location), ServiceName/Group (priority), EDRProcess (target like MsMpEng.exe).

It corrupts the PE header signature on FakeLib, registers as service, monitors for EDR launch, applies/removes Bindlink dynamically. Users must research EDR-specific DLLs and groups using Process Explorer boot logs.​

On a lab Windows 11 25H2 system, targeting MsMpEng.exe (Defender engine) and msvcp_win.dll (loaded at startup), with TDI service group priority. Command: EDRStartupHinder.exe msvcp_win.dll C:TMPFakeLib DusmSVC-01 TDI MsMpEng.exe.

EDRStartupHinder startup
EDRStartupHinder startup

Post-reboot, the service activates first, redirects DLL; PPL-protected MsMpEng rejects the unsigned DLL and self-terminates.

Sysadmins should monitor bindlink.dll usage, suspicious services in high-priority groups, and System32 anomalies. Defense-in-depth includes KnownDLL expansions, signature enforcement audits, and minifilter logging. Vendors must harden DLL dependencies and startup sequencing.​

This technique underscores Windows mechanisms as double-edged swords for red teams, effective against Defender and unnamed commercial EDRs/AVs in labs.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

Security

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Instagram Confirms no System Breach and Fixed External Party Password Reset Issue

Next Post

New ‘Penguin’ Pig Butchering as a Service Selling PII, Stolen Accounts and Fraud Kits

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us