Microsoft Defender Under Threat as Hackers Exploit Trusted Intel Driver
Cybercriminals have uncovered a method to disable Windows Defender by exploiting a legitimate Intel CPU tuning driver, giving them the ability to deploy malware undetected since July 2025. The attack, known as a ‘Bring Your Own Vulnerable Driver’ (BYOVD) attack, has been observed in active ransomware campaigns.
Windows Defender, a key component of Microsoft’s security ecosystem, has long been a relied-upon defense against malware. However, a hacker group has found a way to manipulate the system’s driver architecture to gain kernel access and disable Defender. This allows for the deployment of malware without triggering standard security checks.
The technique involves using the Intel driver ‘rwdrv.sys’ from the performance-tweaking tool ThrottleStop. Security firm GuidePoint Security reports that attackers load this driver to gain kernel-level access, then install a second malicious driver, ‘hlpdrv.sys’, which changes the DisableAntiSpyware registry setting to disable Defender. This method has been consistently used in Akira ransomware campaigns since mid-July.
The Akira ransomware group, which has previously targeted SonicWall VPN devices, may have used a known vulnerability, CVE-2024-40766, rather than a newly discovered zero-day. SonicWall recommends restricting VPN access, enabling multi-factor authentication, and deactivating unused accounts as immediate defensive measures.
Akira attacks often involve data theft, remote access establishment, and the deployment of ransomware to encrypt files in an organization. Experts warn that fake websites are increasingly being used to distribute these malicious tools. GuidePoint has publicly shared a YARA detection rule, along with file names, service names, SHA-256 hashes, and file paths to aid in identification.
Microsoft has not yet commented on the matter, but experts emphasize the importance of proactive defense measures. Users are advised to install robust antivirus software with real-time protection, keep operating systems and applications updated, and enable two-factor authentication to enhance security.
Regular system updates are crucial, as they often patch known vulnerabilities that malware can exploit. Additionally, users should exercise caution with unsolicited email attachments and avoid downloading or running unfamiliar scripts or commands that could introduce malicious code.
Despite the sophisticated nature of these attacks, experts note that users can take significant steps to protect themselves. These include monitoring for unauthorized activity, using only verified software sources, and maintaining good cybersecurity hygiene. However, the potential for such vulnerabilities to be exploited highlights the importance of continuous security improvements in both software and hardware design.