Akira Ransomware is abusing official Intel CPU tuning drivers to show off Microsoft Defender in assaults from safety instruments working on the right track machines and EDR.
The abused driver is “RWDRV.SYS” (utilized by ThrottLestop), and the menace actor has registered it as a service that beneficial properties kernel-level entry.
This driver could also be used to load the second driver, “HLPDRV.SYS”. This can be a malicious software that operates Home windows Defender and turns off safety.
This can be a “ensuing your personal susceptible driver” (BYOVD) assault, the place menace actors use legitimately signed drivers who know what vulnerabilities or weaknesses that may be abused to attain privilege escalation. This driver is used to load malicious instruments that disable Microsoft Defender.
“The second driver, HLPDRV.SYS, is registered as a service equally. When run, it modifications the disabled ware settings for Home windows Defender in registrymachinesoftwarepoliciesmicrosoftwindows defenderdisableantispyware.” Please clarify the researcher.
“The malware accomplishes this via working regedit.exe.”
This tactic was noticed by Guidepoint Safety, reporting that since July 15, 2025, it has seen repeated abuse of RWDRV.SYS drivers in Akira ransomware assaults.
“We have flagged this conduct as a result of latest ubiquitous Akira ransomware IR instances. This excessive constancy indicator can be utilized for aggressive detection and retrospective menace looking,” the report continued.
To assist defenders detect and block these assaults, GuidePoint Safety offered the total indicator of YARA guidelines for HLPDRV.SYS and the compromise (IOC) for the motive force, its service identify, and the file paths for the dropped location.
Akira assaults SonicWall SSLVPN
Akira Ransomware has just lately been linked to an assault on Sonicwall VPN utilizing what is taken into account to be an unknown flaw.
GuidePoint’s safety says it can’t verify or expose the exploitation of Sonicwall VPN zero-day vulnerabilities by Akira ransomware operators.
In response to stories of elevated assault exercise, Sonic Wall suggested Disable or limit SSLVPN, implement multifactor authentication (MFA), allow botnet/GEO-IP safety, take away unused accounts.
in the meantime, Daifu Report It publishes evaluation of latest Akira ransomware assaults, highlighting the usage of Bumblebee Malware Loader, which was delivered through the IT software program software Trojanized MSI installer.
Examples embody looking for “ManageNenting Opmanager” in Bing. search engine optimization habit has redirected the sufferer to the malicious website Opmanager(.)Professional.
.jpg)
Supply: Daifu Report
BumbleBee is launched through DLL sideload and as soon as C2 communication is established, it drops AdaptixC2 for everlasting entry.
The attacker then conducts inside reconnaissance, creates privileged accounts, removes knowledge utilizing Filezilla, and maintains entry via Rustdesk and SSH tunnels.
After about 44 hours, the principle Akira ransomware payload (locker.exe) is deployed to encrypt the system all through the area.
Till the Sonicwall VPN scenario is resolved, system directors might want to monitor Akira-related actions and apply filters and blocks as metrics seem from safety surveys.
Additionally, since impersonation websites are a standard supply of malware, we strongly advocate downloading solely the software program from the official web site or mirror.
