Akira ransomware is abusing a professional Intel CPU tuning driver to show off Microsoft Defender in assaults from safety instruments and EDRs operating on track machines.
The abused driver is ‘rwdrv.sys’ (utilized by ThrottleStop), which the menace actors registerĀ as a service to realize kernel-level entry.
This driver is probably going used to load a second driver, ‘hlpdrv.sys,’ a malicious device that manipulates Home windows Defender to show off its protections.
It is a ‘Convey Your Personal Susceptible Driver’ (BYOVD) assault, the place menace actors use professional signed drivers which have identified vulnerabilities or weaknesses that may be abused to attain privilege escalation. This driver is then used to load a malicious device that disables Microsoft Defender.
“The second driver,Ā hlpdrv.sys, is equally registered as a service. When executed, it modifies the DisableAntiSpyware settings of Home windows Defender insideĀ REGISTRYMACHINESOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware,”Ā clarify the researchers.
“The malware accomplishes this through execution of regedit.exe.”
This tactic was noticed by Guidepoint Safety, which studies seeing repeated abuse of the rwdrv.sys driver in Akira ransomware assaults since July 15, 2025.
“We’re flagging this habits due to its ubiquity in current Akira ransomware IR circumstances. This high-fidelity indicator can be utilized for proactive detection and retroactive menace looking,” continued the report.
To assist defenders detect and block these assaults, Guidepoint Safety has supplied a YARA rule for hlpdrv.sys, in addition to full indicators of compromise (IoCs) for each drivers, their service names, and file paths the place they’re dropped.
Akira assaults on SonicWall SSLVPN
Akira ransomware was not too long ago linked to assaults on SonicWall VPNs utilizing what’s believed to be an unknown flaw.
Guidepoint Safety says it might neither verify nor debunk the exploitation of a zero-day vulnerability in SonicWall VPNs by Akira ransomware operators.
In response to studies about elevated offensive exercise, SonicWall suggested disabling or proscribing SSLVPN, implementing multi-factor authentication (MFA), enabling Botnet/Geo-IP safety, and eradicating unused accounts.
In the meantime, The DFIR Report has printed an evaluation of current Akira ransomware assaults, highlighting using the Bumblebee malware loader delivered through trojanized MSI installers of IT software program instruments.
An instance entails searches for “ManageEngine OpManager” on Bing, the place web optimization poisoning redirected the sufferer to the malicious website opmanager[.]professional.
.jpg)
Supply: The DFIR Report
Bumblebee is launched through DLL sideloading, and as soon as C2 communication is established, it drops AdaptixC2 for persistent entry.
The attackers then conduct inside reconnaissance, create privileged accounts, and exfiltrate information utilizing FileZilla, whereas sustaining entry through RustDesk and SSH tunnels.
After roughly 44 hours, the principle Akira ransomware payload (locker.exe) is deployed to encrypt methods throughout domains.
Till the SonicWall VPN scenario clears up, system directors ought to monitor for Akira-related exercise and apply filters and blocks as indicators emerge from safety analysis.
It’s also strongly suggested to solely obtain software program from official websites and mirrors, as impersonation websites have turn into a typical supply for malware.
Malware concentrating on password shops surged 3X as attackers executed stealthy Excellent Heist eventualities, infiltrating and exploiting essential methods.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend in opposition to them.
