SYDNEY & SINGAPORE, 16 July 2026 — Bitdefender Labs has published research documenting three previously undocumented attack techniques that abuse a legitimate Windows feature, called bind links, to bypass endpoint detection and response (EDR) and built-in Windows defences including AMSI, AppLocker, Windows Firewall and Sysmon.
Bind links redirect a trusted file path to an attacker-controlled file without modifying the original file on disk. The redirection is handled by a Windows minifilter driver, bindflt.sys, and lives in memory, so it leaves no persistent file, stays hidden from normal file enumeration and disappears on reboot. Endpoint tools keep seeing clean, signed files while malicious code runs behind them. Every Windows 10 RS4+ and Windows 11 machine is exposed once an attacker has local administrator access, which covers most Australian enterprise fleets.
The technique matters because EDR killers are already standard kit for professional ransomware groups. Bind-link abuse hands them another way to blind the endpoint agent, and this one needs no vulnerable driver, only a documented Windows feature and the administrator rights they already have.
The research documents three techniques, each more advanced than the last, all defeating path-based security decisions at the kernel level. File-Binding redirects a trusted file or DLL path to attacker content, neutralising AMSI, hijacking EDR sensor DLLs and tampering with forensic logs. Process-Binding applies the same move to executables, so the operating system reports a trusted program while a different one runs. Silo-Binding, the most advanced, splits the filesystem into two views, so malicious code runs inside an isolated container while EDR, AppLocker, Windows Firewall and Sysmon outside see clean, legitimate files. Using Silo-Binding, Bitdefender ran the credential-theft tool Invoke-Mimikatz past EDR in a live test by disguising it as a trusted Windows system process. Bitdefender also found and reported a Docker Desktop flaw letting a non-administrator member of the docker-users group escalate to SYSTEM, prompting Docker to update its documentation to warn users.
Microsoft assessed the technique as low severity because it requires administrator access. Bitdefender’s position, in line with how the industry treats Bring Your Own Vulnerable Driver, is that reaching administrator should not buy an attacker a free pass on detection.
Bitdefender GravityZone anti-tampering protection already covers this class of attack. Bitdefender urges other defenders to stop trusting the image path reported at process creation and to re-check the real file each time it is reopened. A veto added in Windows 24H2 blocks some bind links but remains a partial fix. The full whitepaper includes bind-filter internals and detection guidance for the broader security community.
About Bitdefender
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in anti-malware, IoT security, behavioural analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognised technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.
For more information, visit https://www.bitdefender.com.
Trusted. Always.




