Akira ransomware is abusing a respectable Intel CPU tuning driver to show off Microsoft Defender in assaults from safety instruments and EDRs operating heading in the right direction machines.
The abused driver is ‘rwdrv.sys’ (utilized by ThrottleStop), which the risk actors registerĀ as a service to realize kernel-level entry.
This driver is probably going used to load a second driver, ‘hlpdrv.sys,’ a malicious software that manipulates Home windows Defender to show off its protections.
This can be a ‘Deliver Your Personal Susceptible Driver’ (BYOVD) assault, the place risk actors use respectable signed drivers which have recognized vulnerabilities or weaknesses that may be abused to attain privilege escalation. This driver is then used to load a malicious software that disables Microsoft Defender.
“The second driver,Ā hlpdrv.sys, is equally registered as a service. When executed, it modifies the DisableAntiSpyware settings of Home windows Defender insideĀ REGISTRYMACHINESOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware,”Ā clarify the researchers.
“The malware accomplishes this by way of execution of regedit.exe.”
This tactic was noticed by Guidepoint Safety, which experiences seeing repeated abuse of the rwdrv.sys driver in Akira ransomware assaults since July 15, 2025.
“We’re flagging this conduct due to its ubiquity in current Akira ransomware IR instances. This high-fidelity indicator can be utilized for proactive detection and retroactive risk searching,” continued the report.
To assist defenders detect and block these assaults, Guidepoint Safety has offered a YARA rule for hlpdrv.sys, in addition to full indicators of compromise (IoCs) for each drivers, their service names, and file paths the place they’re dropped.
Akira assaults on SonicWall SSLVPN
Akira ransomware was not too long ago linked to assaults on SonicWall VPNs utilizing what’s believed to be an unknown flaw.
Guidepoint Safety says it might neither affirm nor debunk the exploitation of a zero-day vulnerability in SonicWall VPNs by Akira ransomware operators.
In response to experiences about elevated offensive exercise, SonicWall suggested disabling or limiting SSLVPN, implementing multi-factor authentication (MFA), enabling Botnet/Geo-IP safety, and eradicating unused accounts.
In the meantime, The DFIR Report has revealed an evaluation of current Akira ransomware assaults, highlighting the usage of the Bumblebee malware loader delivered by way of trojanized MSI installers of IT software program instruments.
An instance entails searches for “ManageEngine OpManager” on Bing, the place web optimization poisoning redirected the sufferer to the malicious web site opmanager[.]professional.
.jpg)
Supply: The DFIR Report
Bumblebee is launched by way of DLL sideloading, and as soon as C2 communication is established, it drops AdaptixC2 for persistent entry.
The attackers then conduct inside reconnaissance, create privileged accounts, and exfiltrate knowledge utilizing FileZilla, whereas sustaining entry by way of RustDesk and SSH tunnels.
After roughly 44 hours, the principle Akira ransomware payload (locker.exe) is deployed to encrypt techniques throughout domains.
Till the SonicWall VPN state of affairs clears up, system directors ought to monitor for Akira-related exercise and apply filters and blocks as indicators emerge from safety analysis.
It is usually strongly suggested to solely obtain software program from official websites and mirrors, as impersonation websites have turn into a typical supply for malware.
Malware focusing on password shops surged 3X as attackers executed stealthy Good Heist situations, infiltrating and exploiting important techniques.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend in opposition to them.
