Akira ransomware is abusing a respectable Intel CPU tuning driver to show off Microsoft Defender in assaults from safety instruments and EDRs working heading in the right direction machines.
The abused driver is ‘rwdrv.sys’ (utilized by ThrottleStop), which the menace actors register as a service to realize kernel-level entry.
This driver is probably going used to load a second driver, ‘hlpdrv.sys,’ a malicious instrument that manipulates Home windows Defender to show off its protections.
It is a ‘Deliver Your Personal Weak Driver’ (BYOVD) assault, the place menace actors use respectable signed drivers which have identified vulnerabilities or weaknesses that may be abused to attain privilege escalation. This driver is then used to load a malicious instrument that disables Microsoft Defender.
“The second driver, hlpdrv.sys, is equally registered as a service. When executed, it modifies the DisableAntiSpyware settings of Home windows Defender inside REGISTRYMACHINESOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware,” clarify the researchers.
“The malware accomplishes this by way of execution of regedit.exe.”
This tactic was noticed by Guidepoint Safety, which experiences seeing repeated abuse of the rwdrv.sys driver in Akira ransomware assaults since July 15, 2025.
“We’re flagging this conduct due to its ubiquity in current Akira ransomware IR circumstances. This high-fidelity indicator can be utilized for proactive detection and retroactive menace searching,” continued the report.
To assist defenders detect and block these assaults, Guidepoint Safety has offered a YARA rule for hlpdrv.sys, in addition to full indicators of compromise (IoCs) for each drivers, their service names, and file paths the place they’re dropped.
Akira assaults on SonicWall SSLVPN
Akira ransomware was lately linked to assaults on SonicWall VPNs utilizing what’s believed to be an unknown flaw.
Guidepoint Safety says it might neither verify nor debunk the exploitation of a zero-day vulnerability in SonicWall VPNs by Akira ransomware operators.
In response to experiences about elevated offensive exercise, SonicWall suggested disabling or proscribing SSLVPN, imposing multi-factor authentication (MFA), enabling Botnet/Geo-IP safety, and eradicating unused accounts.
In the meantime, The DIFe Report has revealed an evaluation of current Akira ransomware assaults, highlighting the usage of the Bumblebee malware loader delivered by way of trojanized MSI installers of IT software program instruments.
An instance entails searches for “ManageEngine OpManager” on Bing, the place search engine optimisation poisoning redirected the sufferer to the malicious web site opmanager(.)professional.
.jpg)
Malicious web site beginning an Akira assault
SOURCE: The DIFe Report
Bumblebee is launched by way of DLL sideloading, and as soon as C2 communication is established, it drops AdaptixC2 for persistent entry.
The attackers then conduct inside reconnaissance, create privileged accounts, and exfiltrate knowledge utilizing FileZilla, whereas sustaining entry by way of RustDesk and SSH tunnels.
After roughly 44 hours, the primary Akira ransomware payload (locker.exe) is deployed to encrypt techniques throughout domains.
Till the SonicWall VPN state of affairs clears up, system directors ought to monitor for Akira-related exercise and apply filters and blocks as indicators emerge from safety analysis.
It’s also strongly suggested to solely obtain software program from official websites and mirrors, as impersonation websites have change into a standard supply for malware.
Malware focusing on password shops surged 3X as attackers executed stealthy Excellent Heist situations, infiltrating and exploiting crucial techniques.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and easy methods to defend in opposition to them.
