A potent wave of ransomware attacks has uncovered a cunning new strategy in cybercrime: hackers are leveraging a legitimate Intel CPU tuning driver to disable Windows 11’s built-in antivirus, leaving systems dangerously exposed. The Akira ransomware, already notorious for its aggressive campaigns, has been found abusing the widely used rwdrv.sys driver—often associated with the popular ThrottleStop utility. By exploiting vulnerabilities in this driver, attackers achieve kernel-level access and load a secondary malicious driver, effectively neutralizing Microsoft Defender’s security features and opening the door to further compromise.
A recent uptick in BYOVD attacks demonstrates cybercriminals’ deep technical knowledge and adaptability. Ransomware like Akira is just one operator in a thriving ecosystem; other malware groups have also adopted similar tactics, using both public and clandestinely traded vulnerable drivers.
While these changes require modern hardware and awareness from IT departments to deploy, they represent tangible progress. Vendors like Intel also need to increase investment in regular security reviews, revocation of legacy drivers, and transparent patching disclosure.
Ransomware’s use of BYOVD tactics is a clarion call: system trust must be constantly earned—not assumed. Without proactive security hardening and user vigilance, even the best-built defenses can be circumvented by the very tools meant to empower users.
Source: Tom's Guide Hackers are abusing this Intel tool to disable Windows 11's built-in antivirus — don't fall for this
BYOVD Tactics: Turning Trusted Tools into Weapons
The term BYOVD—Bring Your Own Vulnerable Driver—encapsulates a growing trend in cyberattacks where threat actors utilize legitimate, signed Windows drivers with known security flaws to escalate privileges and execute malicious code. Unlike traditional malware that directly exploits unpatched vulnerabilities in operating systems or applications, BYOVD attacks start with a trusted digital signature. This grants attackers immediate credibility, lowering the barriers for malware execution on even the most hardened devices.Intel’s rwdrv.sys in the Crosshairs
Historically, security experts have issued warnings about drivers offering advanced hardware access, as these often lack the stringent security controls demanded in today’s threat landscape. The Intel rwdrv.sys, designed for safe CPU tuning and monitoring, exposes sensitive capabilities when loaded—privileges that are now being hijacked by ransomware operators.Anatomy of the Attack: How the Akira Ransomware Disarms Microsoft Defender
Step 1: Legitimate Driver Becomes an Entry Point
Attackers first introduce the Intel rwdrv.sys onto the target system, typically using social engineering, phishing, or the compromise of trusted download sources. What makes this step especially insidious is that rwdrv.sys is a genuine, digitally-signed driver, often delivered as part of well-known utilities like ThrottleStop. End users, IT professionals, and even automated security systems may see nothing amiss in its presence.Step 2: Gaining Kernel-Level Privileges
Windows’ architecture allows signed drivers to operate with kernel-level privileges. This means they have broad authority over core system processes, hardware, and security protocols. Threat actors exploit this by registering rwdrv.sys as a service, granting themselves deep access.Step 3: Loading a Malicious Payload
With kernel-level access secured, attackers use rwdrv.sys to load a second, malicious driver—hlpdrv.sys. While the first driver is legitimate, the second is custom-crafted for exploitation. Its specific purpose: sabotage Microsoft Defender.Step 4: Disabling Antivirus Protections Via Registry Manipulation
The final stage sees hlpdrv.sys executing regedit.exe and altering critical Registry settings—notably, theDisableAntiSpyware value under Windows Defender configurations. This surgical move deactivates Microsoft Defender silently and without user interaction. The system, now unprotected, becomes a playground for ransomware and data exfiltration tools.Why This Attack Is a Game-Changer for Windows Security
Bypassing Traditional Defenses
Legacy antivirus and endpoint protection tools primarily focus on identifying malicious code, unusual behavior, or known attack signatures. However, when attacks leverage trusted components—like a signed Intel driver—many of these defenses are circumvented. The result is a stealthy compromise that, until recently, slipped beneath most organizations’ radar.Undermining Zero Trust Assumptions
The Zero Trust security philosophy presumes no implicit trust for anything running inside an environment—even “trusted” drivers and software. Yet, reality often lags behind theory. Most businesses rely on vendor digital signatures and software reputation for their allow-lists. This attack highlights an uncomfortable truth: trust can be exploited as a vulnerability if not constantly reassessed.Technical Deep Dive: Indicators and Mitigations
YARA Rules and Indicators of Compromise
In response to the discovery, security researchers at GuidePoint Security released comprehensive YARA rules, indicators of compromise (IoCs), suspicious service names, and file paths. These resources enable detection teams to hunt for attack signs—such as unauthorized installation or execution of rwdrv.sys and related payloads—across enterprise networks.Defensive Recommendations
Security professionals are urged to:- Vigilantly monitor for Akira ransomware markers and unusual driver activity
- Block or restrict drivers with a history of vulnerabilities, even if signed
- Regularly review and tighten endpoint allow-lists and driver approval policies
- Practice principle of least privilege for all administrative actions involving drivers
- Track and block known malicious file hashes via enterprise security solutions
The Broader Trend: Bring Your Own Vulnerable Driver (BYOVD) Risk Analysis
Why Drivers Remain an Achilles’ Heel
Windows’ open driver model is a double-edged sword. While it supports vast hardware compatibility and user customization, it also introduces an enormous attack surface. Older or poorly maintained drivers frequently lack contemporary security controls, such as strict access management and attack surface reduction techniques.A recent uptick in BYOVD attacks demonstrates cybercriminals’ deep technical knowledge and adaptability. Ransomware like Akira is just one operator in a thriving ecosystem; other malware groups have also adopted similar tactics, using both public and clandestinely traded vulnerable drivers.
Past Examples Prove a Consistent Pattern
The abuse isn’t unique to rwdrv.sys. Previously, legitimate drivers from vendors like Gigabyte, ASUS, and even Microsoft have been hijacked for similar ends. Each incident underscores the urgency for vendors to audit, patch, or revoke problematic drivers—and for organizations to update deployment standards accordingly.Strengths and Limitations of Microsoft’s Response
Rapid Detection and Community-Driven Intelligence
Microsoft and partner researchers responded quickly to the Akira discovery, providing mitigations and updates to security databases. The incident also demonstrates the value of community intelligence sharing, as organizations like GuidePoint Security contributed actionable rules and IoCs for global defense.Limitations of Current Antivirus Paradigms
Despite a speedy fix, fundamental limitations remain:- Digital signatures are meant to guarantee authenticity, not security. Their misuse can grant attackers a free pass.
- Drivers that grant unrestricted kernel access pose an ongoing structural risk.
- Heuristic and signature-based detections often fail against abuses of trusted tools.
User Safety: What Home and Professional Users Should Do
For Home Users
- Never download drivers or utilities from unofficial or mirror sites
- Regularly update Windows and run vulnerability scans
- Manually inspect installed drivers if unusual system behavior occurs
- Create regular data backups, stored offline where possible
For Enterprise IT Teams
- Strictly control driver installation privileges
- Audit all installed, signed drivers at regular intervals
- Deploy security solutions that specifically monitor for driver abuse and BYOVD indicators
- Educate staff about the dangers of seemingly “benign” system utilities and the risks of social engineering
The Future of Driver Security on Windows
Industry Shifts Toward Stronger Isolation
Microsoft has been steadily enhancing kernel-mode code integrity (KMCI) and introducing security technologies like Driver Blocklist and hypervisor-enforced code integrity (HVCI). These seek to limit what drivers can do and which can even be loaded—particularly on Windows 11.While these changes require modern hardware and awareness from IT departments to deploy, they represent tangible progress. Vendors like Intel also need to increase investment in regular security reviews, revocation of legacy drivers, and transparent patching disclosure.
The Ongoing Cat-and-Mouse Game
Attackers will continuously search for and exploit weak links, including hardware-level interfaces. However, as collaboration between vendors, software developers, and the security community improves, defenders are better equipped to spot and neutralize threats quickly.Ransomware’s use of BYOVD tactics is a clarion call: system trust must be constantly earned—not assumed. Without proactive security hardening and user vigilance, even the best-built defenses can be circumvented by the very tools meant to empower users.
Conclusion: Staying Ahead of Evolving Threats
This latest campaign exploiting Intel’s rwdrv.sys to disable Microsoft Defender on Windows 11 marks a new chapter in the arms race between cybercriminals and defenders. By subverting genuine system tools, attackers bypass long-standing protection mechanisms and put users—and entire enterprises—at risk. Yet, with swift action, vigilant monitoring, and a renewed focus on the software supply chain, organizations and individuals can remain a step ahead. The key takeaway: in a world where trust is easily abused, the only real security is relentless scrutiny and the agility to respond to new threats as they emerge.Source: Tom's Guide Hackers are abusing this Intel tool to disable Windows 11's built-in antivirus — don't fall for this