An open-source tool called RealBlindingEDR enables attackers to blind, permanently disable, or terminate antivirus (AV) and endpoint detection and response (EDR) software by clearing critical kernel callbacks on Windows systems.

Released on GitHub in late 2023, the utility leverages signed drivers for arbitrary memory read and write operations, bypassing protections like PatchGuard to target six major kernel callback types. This development raises alarms for cybersecurity professionals, as the tool has been adopted by ransomware groups such as Crypto24 in recent attacks.