The Akira ransomware group has been observed deploying a new method to disable Microsoft Defender by abusing a legitimate Intel CPU tuning driver, part of a broader strategy that targets endpoint protection tools and endpoint detection and response (EDR) systems.
Akira’s attack method: using a vulnerable driver to disable Defender
Security researchers at Guidepoint Security uncovered that Akira ransomware operators are exploiting rwdrv.sys, a driver used by Intel’s ThrottleStop utility. The attackers register this driver as a service to gain kernel-level privileges on compromised systems.
Once access is gained, the attackers deploy a second driver, hlpdrv.sys, designed to modify Defender’s settings and disable its protective functions.
“The second driver, hlpdrv.sys, is similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware,” researchers explained.
“The malware accomplishes this via execution of regedit.exe.”
This is part of a growing trend called Bring Your Own Vulnerable Driver (BYOVD) attacks. In these scenarios, threat actors use legitimate but vulnerable signed drivers to escalate privileges and disable security tools without triggering alerts.
Malicious drivers now an indicator of ransomware activity
Guidepoint Security noted that this technique has been consistently observed in Akira ransomware incidents since July 15, 2025. They have issued YARA detection rules and indicators of compromise (IoCs) to help defenders identify and respond to the use of rwdrv.sys and hlpdrv.sys.
“We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting,” the report stated.
Akira also targets SonicWall VPNs with suspected zero-day flaw
In parallel, Akira ransomware has been linked to attacks on SonicWall SSLVPN appliances. While unconfirmed, security researchers believe these attacks may involve a zero-day vulnerability. SonicWall has responded by recommending:
- Disabling or restricting SSLVPN usage
- Enforcing multi-factor authentication (MFA)
- Enabling botnet and geo-IP filtering
- Deleting unused accounts
Trojanized IT tools used to deploy Akira ransomware
Akira’s attacks are not limited to driver abuse. According to The DFIR Report, the group is also using SEO poisoning and trojanized installers to gain initial access.
One notable case involved users searching for “ManageEngine OpManager” on Bing. Victims were redirected to a fake site (opmanager[.]pro) where they downloaded malware-laced MSI installers.
This led to the execution of Bumblebee malware via DLL sideloading, followed by persistent access using AdaptixC2. Attackers then moved laterally through the network:
- Conducted internal reconnaissance
- Created privileged accounts
- Used FileZilla for exfiltration
- Maintained access with RustDesk and SSH tunnels
Approximately 44 hours after initial access, Akira’s main ransomware payload (locker.exe) was deployed across targeted domains to encrypt systems.
Enterprise defenders urged to stay alert
Security teams are advised to monitor for signs of Akira-related activity, especially the use of vulnerable drivers and unusual system behaviors. With SonicWall VPN exploits still under investigation, system administrators should apply all known defensive measures and only download tools from trusted sources.
