Akira ransomware is abusing a legitimate Intel CPU tuning driver to turn off Microsoft Defender in attacks from security tools and EDRs running on target machines.
The abused driver is 'rwdrv.sys' (used by ThrottleStop), which the threat actors register as a service to gain kernel-level access.
This driver is likely used to load a second driver, 'hlpdrv.sys,' a malicious tool that manipulates Windows Defender to turn off its protections.
This is a 'Bring Your Own Vulnerable Driver' (BYOVD) attack, where threat actors use legitimate signed drivers that have known vulnerabilities or weaknesses that can be abused to achieve privilege escalation. This driver is then used to load a malicious tool that disables Microsoft Defender.
"The second driver, hlpdrv.sys, is similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware," explain the researchers.
"The malware accomplishes this via execution of regedit.exe."
This tactic was observed by Guidepoint Security, which reports seeing repeated abuse of the rwdrv.sys driver in Akira ransomware attacks since July 15, 2025.
"We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting," continued the report.
To help defenders detect and block these attacks, Guidepoint Security has provided a YARA rule for hlpdrv.sys, as well as complete indicators of compromise (IoCs) for both drivers, their service names, and file paths where they are dropped.
Akira attacks on SonicWall SSLVPN
... continue reading