Akira Ransomware is abusing respectable Intel CPU tuning drivers to show off Microsoft Defender in assaults from safety instruments working on track machines and EDR.
The abused driver is “RWDRV.SYS” (utilized by ThrottLestop), and the risk actor has registered it as a service that beneficial properties kernel-level entry.
This driver could also be used to load the second driver, “HLPDRV.SYS”. It is a malicious device that operates Home windows Defender and turns off safety.
It is a “ensuing your personal susceptible driver” (BYOVD) assault, the place risk actors use legitimately signed drivers who know what vulnerabilities or weaknesses that may be abused to realize privilege escalation. This driver is used to load malicious instruments that disable Microsoft Defender.
“The second driver, HLPDRV.SYS, is registered as a service as nicely. When run, it adjustments the disabled ware settings for Home windows Defender inside registrymachinesoftwarepoliciesmicrosoftwindows defenderdisableantispyware,” the researchers clarify.
“The malware accomplishes this by means of working regedit.exe.”
This tactic was noticed by Guidepoint Safety, reporting that since July 15, 2025, it has seen repeated abuse of RWDRV.SYS drivers in Akira ransomware assaults.
“We have flagged this conduct because of the current ubiquitous Akira ransomware IR instances. This excessive constancy indicator can be utilized for aggressive detection and retrospective risk looking,” the report continued.
To assist defenders detect and block these assaults, GuidePoint Safety supplied the total indicator of YARA guidelines for HLPDRV.SYS and the compromise (IOC) for the motive force, its service identify, and the file paths for the dropped location.
Akira assaults SonicWall SSLVPN
Akira Ransomware has just lately been linked to an assault on Sonicwall VPN utilizing what is taken into account to be an unknown flaw.
GuidePoint’s safety says it can not affirm or expose the exploitation of Sonicwall VPN zero-day vulnerabilities by Akira ransomware operators.
In response to studies of elevated assault exercise, SonicWall suggested on disabling or limiting SSLVPN, implementing multi-factor authentication (MFA), enabling BotNet/Geo-IP safety, and deleting unused accounts.
In the meantime, the DFIR report has revealed an evaluation of current Akira ransomware assaults, highlighting the usage of Bumblebee malware loaders, that are delivered by way of the IT software program device Trojanized MSI installer.
Examples embrace looking for “ManageNenting Opmanager” in Bing. search engine marketing habit has redirected the sufferer to the malicious website Opmanager(.)Professional.
.jpg)
Supply: Daifu Report
BumbleBee is launched by way of DLL sideload and as soon as C2 communication is established, it drops AdaptixC2 for everlasting entry.
The attacker then conducts inside reconnaissance, creates privileged accounts, removes knowledge utilizing Filezilla, and maintains entry by means of Rustdesk and SSH tunnels.
After about 44 hours, the principle Akira ransomware payload (locker.exe) is deployed to encrypt the system all through the area.
Till the Sonicwall VPN scenario is resolved, system directors might want to monitor Akira-related actions and apply filters and blocks as metrics seem from safety surveys.
Additionally, since impersonation websites are a standard supply of malware, we strongly suggest downloading solely the software program from the official web site or mirror.
