A newly released proof-of-concept attack called EDR-Freeze is raising alarms in the cybersecurity community—and rightly so.
Unlike traditional EDR evasion techniques that rely on terminating or uninstalling endpoint defenses (usually triggering alerts), EDR-Freeze takes a stealthier, more subversive approach: it freezes security software in a suspended state using legitimate Windows components.
The result? Security agents appear to be running, but they’re silently disabled, leaving systems wide open to ransomware, data theft, and further infiltration.
How EDR-Freeze Works: A “Coma” State for Your EDR
First revealed by security researcher Zero Salarium, the EDR-Freeze tool abuses the Windows Error Reporting (WER) subsystem and the MiniDumpWriteDump API.
Here’s what makes it so dangerous:
- It requires no vulnerable kernel drivers. Unlike bring-your-own-vulnerable-driver (BYOVD) techniques, this attack operates fully in user mode.
- It leverages legitimate OS behavior to suspend all threads of the target process (such as an EDR or antivirus engine) during a memory dump operation.
- It then suspends the dumper itself—preventing the EDR from ever resuming.
In effect, the EDR is left in a “frozen” state; unresponsive, invisible to its own monitoring tools, and entirely ineffective. Meanwhile, attackers are free to execute payloads, encrypt data, or exfiltrate sensitive information without triggering alarms.
As confirmed by BleepingComputer, the technique works on Windows 11 and successfully disables Windows Defender in its current implementation.
The Bigger Picture: EDR Evasion Is Evolving Fast
EDR-Freeze isn’t just a one-off curiosity—it’s the latest example of a growing class of techniques that aim to disable, mute, or sidestep endpoint defenses entirely.
At Morphisec, we’ve tracked this trend closely:
- Earlier techniques, like EDRSilencer and EDRCheck, attempted to silence detection tools or check for their presence before executing payloads.
- Fileless and memory-based malware has surged in popularity, exploiting trusted OS processes and avoiding disk-based signatures altogether.
Now, we’re seeing attacks that exploit legitimate OS components to neutralize EDRs—without triggering alerts or requiring exploits. As threat actors get more creative and stealthier, it’s becoming increasingly clear: detection-based tools can’t keep up on their own.
Why Detection Isn’t Enough Anymore
Traditional endpoint protection platforms (EPP), next-gen antivirus (NGAV), and EDR tools are essential, but incomplete. They rely heavily on signatures, heuristics, and behavior analysis to identify threats; methods that can be easily bypassed by novel, unknown, or fileless techniques.
As these tools become more sensitive in an attempt to catch emerging threats, they often generate a high volume of false positives, overwhelming security analysts and increasing attacker dwell time. Perhaps most critically, tools like these can be directly targeted and disabled by attackers (as demonstrated by EDR-Freeze), leaving systems exposed and defenses neutralized.
Once an EDR is frozen, silenced, or disabled, organizations lose visibility, response capability, and control, giving threat actors gain the upper hand.
That’s why modern security teams need to go beyond detection.
Enter Deception and Automated Moving Target Defense
To stay ahead of evasive threats, defenders must embrace unpredictability and prevention-first models. That’s where Morphisec comes in.
Morphisec’s Automated Moving Target Defense (AMTD) deception technology turns your endpoints into constantly shifting targets—morphing memory at runtime, scrambling the static assumptions attackers rely on. The result? Exploits and evasive tools like EDR-Freeze crash or fail silently, before they can do damage.
And unlike detection-based tools, AMTD works pre-execution, without needing to recognize the threat or match it to a signature.
To help organizations combat advanced threats like EDR-Freeze, Morphisec offers a powerful multi-layered defense with its Anti-Ransomware Assurance Suite:
- Adaptive Exposure Management — Reducing your attack surface and close risky configuration gaps before they’re exploited.
- Ransomware Infiltration Protection — Using AMTD’s deception capabilities to stop ransomware and fileless malware from ever gaining a foothold, regardless of how stealthy they are.
- Ransomware Impact Protection — Even if an attacker gets in, Impact Protection shields critical assets, block encryption attempts, and ensures that backups are safe and recoverable.
Together, these capabilities provide proactive protection against today’s most evasive threat tactics, including those that disable or bypass traditional EDR tools.
Learn how Morphisec fortifies EDR
Learn how fileless malware can beat your EDR
Preemptive Protection for a New Threat Era
EDR-Freeze is a warning shot—a preview of the next generation of cyberattacks. These threats don’t just evade detection. They target the defenders themselves.
In this new reality, organizations can’t afford to rely on detection alone. They need prevention-first, deception-powered, lightweight defenses that stop attackers before they act. Morphisec delivers exactly that with deception capabilities at its core, and a proven ability to block threats that others miss.
Book a personalized demo today to see how Morphisec can protect your organization against EDR evasion and ransomware.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
