Akira Rainmware is misusing a valid Intel CPU tuning driver, which is closing the Microsoft defender in attacks on target machines with security tools and EDRs.
The misbehaving driver is ‘rwdrv.sys’ (used by the throttlestop), which actor of danger register as a service to achieve kernel-level access.
This driver is used to load another driver, ‘hlpdrv.sys’, a malicious tool that manipulates Windows defender to shut down his safety.
This is a ‘byvd’ attack ‘(bring your own weak driver’, where actor actor uses legitimate signed drivers, known for weaknesses or weaknesses, which can be misbehaved to increase privileges. This driver is then used to load a malicious device that neutralizes the microsoft defender.
“The second driver, hlpdrv.sys, is equally registered as a service. When executed, this \ registry \ machine \ software \ colicies \ Microsoft \ Windows Defender \ disabeantispyware within the Windows Defender within the Windows Defreed within the disabeantispyware. Is,” Explain researchers,
“Malaware completes it through the execution of Regedit.exe.”
This strategy was seen by Guidpoint Security, which since July 15, 2025 sees the rwdrv.sys driver’s misconduct in the Akira ransomware attacks.
“We are looking for this behavior due to its omnipresent in recent Akira Rainmware IR cases. This high-loyal indicator can be used for active identity and retrospective threats,” the report continues.
To help detect and block these attacks, Guidpoint Security has provided a YARA rule for hlpdrv.sys, as well as full indicators of both drivers, their service names and file paths (IOCS), where they are dropped.
Akira attack on Sonicwall SSLVPN
Akira ransomware was recently linked to attacks on Sonicwall VPN, which is considered an unknown defect.
Guidpoint Security says that it can neither confirm nor debate the exploitation of zero-day vulnerability in Sonicwall VPN by Akira ransomware operators.
In response to reports about advanced aggressive activity, Sonicwall advised to disable or restrict SSLVPN, apply multi-factor authentication (MFA), enabling Botnet/Geo -at security and remove unused accounts.
During this time, Dfir report Recently published the analysis of Akira ransomware attacks, which highlights the use of bumbled malware loaders given through tructed MSI installers of IT software tools.
One example involves the discovery of “Manageengine Opmanager” on Bing, where SEO toxicity redesigned the victim to the malicious site Opmanager (.) Pro.
.jpg)
Source: DFIR Report
Bumblebee is launched via dll sideloading, and once the C2 communication is installed, it leaves AdaptixC2 for frequent access.
The attackers then operate internal reconnaissance, make privileged accounts, and exfiltrate data using the file district while maintaining access through rustdesk and SSH tunnels.
After about 44 hours, the main akira ransomware payloade is deployed in the system encrypt system in the domain.
Systems administrators should monitor the activity related to Akira and apply filters and blocks as indicators come out of safety research until the condition of Sonicwall VPN is cleared.
It is also strongly advised to download software from official sites and mirrors, as the copy has become a common source for the site malware.
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
