Akira Ransomware’s New Evasion Tactic: Misusing Intel Driver to Bypass Microsoft Defender
Cybercriminals behind the notorious Akira ransomware have adopted a new and highly effective tactic to stay under the radar: abusing a legitimate Intel CPU tuning tool to disable Microsoft Defender and bypass endpoint security systems. This clever use of a trusted driver highlights how attackers are weaponizing legitimate tools to avoid detection.
The Tool of Choice: ‘rwdrv.sys’
The driver in question is rwdrv.sys, a signed Intel driver used by the popular ThrottleStop CPU performance tool. Threat actors install this driver as a service, allowing them kernel-level access to the operating system. With this privileged access, the attackers then load a second, malicious driver — hlpdrv.sys.
Disabling Defender from the Inside
This second driver directly modifies registry settings to turn off Windows Defender. Specifically, it targets the DisableAntiSpyware registry key using regedit.exe, effectively crippling the system’s native antivirus from within. This method is part of a known technique called “Bring Your Own Vulnerable Driver” (BYOVD), where attackers use signed yet flawed drivers to escalate privileges.
Why This Matters
Security researchers at GuidePoint Security have been tracking this activity and say it’s become a hallmark of Akira ransomware attacks since mid-July 2025. The frequency and success of these attacks make this a high-fidelity indicator for incident responders. The researchers have even released YARA rules and IOCs to help defenders detect the presence of these drivers and their service paths.
Linked SonicWall VPN Attacks Raise More Alarms
Akira’s campaign doesn’t end with the Windows registry. The ransomware group is also suspected of exploiting SonicWall SSLVPNs, possibly via a zero-day vulnerability. While unconfirmed, SonicWall has responded by urging customers to disable SSLVPN, enforce MFA, and limit access.
Akira’s Bigger Infection Chain: Bumblebee & SEO Poisoning
Akira operators have also been spotted using SEO poisoning techniques to lure users to malicious versions of legitimate IT tools like “ManageEngine OpManager.” The initial compromise is delivered using trojanized MSI installers, which drop the Bumblebee malware loader via DLL sideloading. Once inside the network, attackers conduct reconnaissance, privilege escalation, and data exfiltration, maintaining access through tools like RustDesk and SSH tunnels.
Conclusion: Stay Vigilant and Act Proactively
The Akira ransomware campaign is a perfect storm of technical sophistication, social engineering, and abuse of trust. By hijacking legitimate drivers, exploiting VPN vulnerabilities, and using malware loaders like Bumblebee, the attackers achieve deep and persistent infiltration. IT admins and cybersecurity teams must proactively monitor for Akira indicators, use updated threat detection tools, and educate users about the risks of downloading from unofficial sources. Now more than ever, layered defense and vigilance are critical to stopping ransomware in its tracks.
