EDR-Freeze: A New Attack Freezes Security Tools—And Why Preemptive Protection Is the Answer

A newly released proof-of-concept attack called EDR-Freeze is raising alarms in the cybersecurity community—and rightly so. 

Unlike traditional EDR evasion techniques that rely on terminating or uninstalling endpoint defenses (usually triggering alerts), EDR-Freeze takes a stealthier, more subversive approach: it freezes security software in a suspended state using legitimate Windows components.  

The result? Security agents appear to be running, but they’re silently disabled, leaving systems wide open to ransomware, data theft, and further infiltration. 

How EDR-Freeze Works: A “Coma” State for Your EDR 

First revealed by security researcher Zero Salarium, the EDR-Freeze tool abuses the Windows Error Reporting (WER) subsystem and the MiniDumpWriteDump API.  

Here’s what makes it so dangerous: 

• It requires no vulnerable kernel drivers. Unlike bring-your-own-vulnerable-driver (BYOVD) techniques, this attack operates fully in user mode. 
• It leverages legitimate OS behavior to suspend all threads of the target process (such as an EDR or antivirus engine) during a memory dump operation. 
• It then suspends the dumper itself—preventing the EDR from ever resuming. 

In effect, the EDR is left in a “frozen” state; unresponsive, invisible to its own monitoring tools, and entirely ineffective. Meanwhile, attackers are free to execute payloads, encrypt data, or exfiltrate sensitive information without triggering alarms. 

As confirmed by BleepingComputer, the technique works on Windows 11 and successfully disables Windows Defender in its current implementation. 

The Bigger Picture: EDR Evasion Is Evolving Fast 

EDR-Freeze isn’t just a one-off curiosity—it’s the latest example of a growing class of techniques that aim to disable, mute, or sidestep endpoint defenses entirely. 

At Morphisec, we’ve tracked this trend closely: 

• Earlier techniques, like EDRSilencer and EDRCheck, attempted to silence detection tools or check for their presence before executing payloads.
• Fileless and memory-based malware has surged in popularity, exploiting trusted OS processes and avoiding disk-based signatures altogether. 

Now, we’re seeing attacks that exploit legitimate OS components to neutralize EDRs—without triggering alerts or requiring exploits. As threat actors get more creative and stealthier, it’s becoming increasingly clear: detection-based tools can’t keep up on their own. 

Why Detection Isn’t Enough Anymore 

Traditional endpoint protection platforms (EPP), next-gen antivirus (NGAV), and EDR tools are essential, but incomplete. They rely heavily on signatures, heuristics, and behavior analysis to identify threats; methods that can be easily bypassed by novel, unknown, or fileless techniques.  

As these tools become more sensitive in an attempt to catch emerging threats, they often generate a high volume of false positives, overwhelming security analysts and increasing attacker dwell time. Perhaps most critically, tools like these can be directly targeted and disabled by attackers (as demonstrated by EDR-Freeze), leaving systems exposed and defenses neutralized. 

Once an EDR is frozen, silenced, or disabled, organizations lose visibility, response capability, and control, giving threat actors gain the upper hand. 

That’s why modern security teams need to go beyond detection. 

Enter Deception and Automated Moving Target Defense 

To stay ahead of evasive threats, defenders must embrace unpredictability and prevention-first models. That’s where Morphisec comes in. 

Morphisec’s Automated Moving Target Defense (AMTD) deception technology turns your endpoints into constantly shifting targets—morphing memory at runtime, scrambling the static assumptions attackers rely on. The result? Exploits and evasive tools like EDR-Freeze crash or fail silently, before they can do damage. 

And unlike detection-based tools, AMTD works pre-execution, without needing to recognize the threat or match it to a signature. 

To help organizations combat advanced threats like EDR-Freeze, Morphisec offers a powerful multi-layered defense with its Anti-Ransomware Assurance Suite: 

• Adaptive Exposure Management — Reducing your attack surface and close risky configuration gaps before they’re exploited. 
• Ransomware Infiltration Protection — Using AMTD’s deception capabilities to stop ransomware and fileless malware from ever gaining a foothold, regardless of how stealthy they are. 
• Ransomware Impact Protection — Even if an attacker gets in, Impact Protection shields critical assets, block encryption attempts, and ensures that backups are safe and recoverable. 

Together, these capabilities provide proactive protection against today’s most evasive threat tactics, including those that disable or bypass traditional EDR tools. 

Learn how Morphisec fortifies EDR 

Learn how fileless malware can beat your EDR 

Preemptive Protection for a New Threat Era 

EDR-Freeze is a warning shot—a preview of the next generation of cyberattacks. These threats don’t just evade detection. They target the defenders themselves. 

In this new reality, organizations can’t afford to rely on detection alone. They need prevention-first, deception-powered, lightweight defenses that stop attackers before they act. Morphisec delivers exactly that with deception capabilities at its core, and a proven ability to block threats that others miss. 

Book a personalized demo today to see how Morphisec can protect your organization against EDR evasion and ransomware. 

About the author

Brad LaPorte | New York

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time. He is based in Morphisec’s New York office at 122 Grand St, New York, NY.