Akira Ransomware Uses Intel Driver to Bypass Windows Defender

Akira ransomware attacks are growing ever more sophisticated: threat actors have begun exploiting a legitimate Intel CPU tuning driver to disable Windows’ built-in protections.

The driver in question—rwdrv.sys, part of the ThrottleStop utility—is registered as a system service, granting attackers kernel-level access to Windows. This approach bypasses conventional security controls, including antivirus solutions and EDR-based threat detection.

At this stage, a second component is deployed: the malicious driver hlpdrv.sys, also configured as a service. It directly interacts with Windows Defender’s settings, modifying the DisableAntiSpyware parameter in the system registry at
REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware.
The modification is executed via the standard regedit.exe utility, enabling the attackers to silently deactivate native protection without drawing an administrator’s attention.

This technique falls under the category of a BYOVD attack (Bring Your Own Vulnerable Driver), in which a legitimate yet vulnerable driver is used as a “Trojan horse” to insert malicious code into the system. Since the drivers carry valid digital signatures, they are far harder to block using standard security tools.

Researchers at GuidePoint Security have observed a sharp increase in incidents involving rwdrv.sys since July 15, 2025. According to their findings, this driver has become a consistent indicator of activity linked to the group behind Akira. To assist defenders, GuidePoint has released YARA detection rules and a set of indicators of compromise (IoCs), including service names and file paths associated with the malware.

In other operations attributed to the same group, a new intrusion vector has been documented—exploitation of vulnerabilities in SonicWall VPN devices. While there is no direct confirmation of a previously unknown flaw, GuidePoint does not rule out the possibility of an undisclosed SSLVPN vulnerability being abused. In response, SonicWall has advised temporarily disabling or restricting SSLVPN access, enabling two-factor authentication, applying geolocation and botnet-based access controls, and removing unused accounts.

The group has also been linked to infections spread via fake websites masquerading as download pages for popular IT products. One notable example is opmanager[.]pro, which appeared in Bing search results for “ManageEngine OpManager.” Visitors to the site were served a malicious MSI installer containing the Bumblebee loader.

Bumblebee, in turn, leveraged DLL sideloading to execute, then deployed the AdaptixC2 remote access tool, establishing a persistent command channel. This was followed by internal network scanning, creation of privileged accounts, data exfiltration via FileZilla, and persistence through RustDesk and SSH tunneling.

On average, just 44 hours elapse between initial compromise and the encryption of every device within the domain. The final stage is the launch of locker.exe, which contains Akira’s primary encryption payload.

Until the situation with SonicWall vulnerabilities is clarified, system administrators are strongly urged to monitor for activity linked to Akira and respond quickly to new IoCs. Additionally, software should never be downloaded from unverified sources—spoofed “official” websites remain one of the most effective malware delivery vectors.