A potent ransomware campaign has turned a trusted Intel CPU tuning driver into a weapon, allowing attackers to evade Windows 11's built-in defenses by disabling Microsoft Defender with surgical precision. The Akira ransomware group, already notorious for aggressive targeting of enterprises, has been caught leveraging the legitimate Intel rwdrv.sys driver—commonly bundled with the ThrottleStop undervolting utility—to gain kernel-level access. From there, attackers load a secondary, malicious driver that silently alters critical Registry settings, effectively neutering the operating system’s antivirus protections without any user interaction.

Security researchers at GuidePoint Security first flagged the attack pattern, which represents a sophisticated escalation of Bring Your Own Vulnerable Driver (BYOVD) tactics. While BYOVD attacks have been documented for years, this specific campaign underscores how even well-intentioned hardware tuning tools can become a stealthy entry point for catastrophic breaches. The incident has triggered urgent calls for enterprises and home users alike to re-examine driver trust models and bolster detection capabilities.

The Anatomy of a BYOVD Attack: How Legitimate Drivers Turn Malicious

The term BYOVD—Bring Your Own Vulnerable Driver—describes an attack technique where threat actors exploit a digitally signed, seemingly benign driver with known security flaws to elevate privileges and execute malicious code. Unlike conventional malware that must bypass antivirus detection from scratch, a signed driver inherits the trust of the operating system, often bypassing security checks entirely. This immediately grants the attacker high-level access to kernel memory, hardware, and critical system processes.

Intel’s rwdrv.sys is a genuine kernel-mode driver designed to provide direct hardware access for CPU tuning, voltage adjustments, and real-time monitoring. Tools like ThrottleStop have relied on rwdrv.sys for years, making it a common component on performance enthusiasts’ and IT administrators’ systems. However, the same capabilities that allow deep hardware interaction also create a dangerous attack surface if misused.

GuidePoint Security’s investigation reveals that the Akira operators first deliver rwdrv.sys onto a target machine, often through phishing, compromised download sites, or social engineering. Because the driver carries a valid digital signature, neither Microsoft Defender nor typical application allow-lists flag it as suspicious. Once installed, the driver is registered as a Windows service, giving the attackers kernel-level privileges capable of overriding most security software.

Step-by-Step: How Akira Ransomware Disarms Microsoft Defender

The attack proceeds in four distinct stages, each designed to avoid triggering traditional defenses:

Step 1: Delivery of the Legitimate Driver. Attackers introduce rwdrv.sys through a carefully crafted lure. In many cases, the victim is deceived into downloading a spoofed version of ThrottleStop or a similar utility from a fake website. Because the driver itself is clean, antivirus scans show no threat.

Step 2: Service Registration and Kernel Privilege Escalation. Using minimal user interaction or automated scripts, the attackers register rwdrv.sys as an active service. Windows allows signed drivers to operate at ring 0, granting unrestricted access to memory and hardware. This step is critical—once escalated, the attacker can execute arbitrary code with the highest possible privileges.

Step 3: Loading a Malicious Secondary Driver. With kernel access secured, the threat actor loads a second driver named hlpdrv.sys. Unlike the Intel driver, hlpdrv.sys is custom malware, purpose-built to manipulate Windows Defender’s configuration. The malicious driver is not signed with a valid certificate, but because it is loaded by a trusted, signed driver already running at kernel level, Windows does not block its execution.

Step 4: Registry Tampering to Disable Antivirus. The hlpdrv.sys driver then invokes regedit.exe, the legitimate Windows Registry Editor, to modify critical Defender settings. Specifically, it sets the DisableAntiSpyware value under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender to 1. This change immediately deactivates Microsoft Defender’s real-time protection, behavioral analysis, and antimalware scanning—all without triggering an alert or requiring a system reboot.

With Defender neutralized, the Akira ransomware can encrypt files, exfiltrate data, and spread laterally across the network unopposed. The entire process, from initial driver delivery to complete antivirus shutdown, can take mere seconds.

Why This Attack Bypasses Traditional Endpoint Security

Conventional antivirus tools rely heavily on signature matching, heuristic analysis, and behavioral detection. But when an attacker uses a legitimate, signed driver as the entry vector, none of these common methods raise red flags. The driver’s digital certificate is valid, its hash is known and whitelisted, and its core functionality—hardware access—appears normal in isolation.

Moreover, the registry modification is executed by regedit.exe, which is itself a trusted Microsoft binary. Endpoint detection and response (EDR) solutions might not flag such an action if the process chain appears legitimate: a signed driver spawning a trusted system tool. The attack exemplifies a growing trend known as “living-off-the-land,” where adversaries use built-in tools to hide their activity.

The Zero Trust security model theoretically assumes no implicit trust for any component, but in practice, most organizations still rely on digital signatures as a proxy for safety. This incident exposes the limitations of that approach when drivers with known vulnerabilities remain in circulation. Intel has not revoked the rwdrv.sys certificate, and the driver continues to be widely available, making it a persistent threat vector.

Technical Indicators of Compromise and Defensive Measures

GuidePoint Security published a comprehensive set of detection tools shortly after discovering the campaign. These include YARA rules that hunt for the specific combination of rwdrv.sys and hlpdrv.sys signatures in memory, as well as service names and file paths commonly abused by the attackers.

Key indicators to watch for include:
- The presence of rwdrv.sys in unexpected directories (e.g., temporary folders or user profiles rather than the standard driver store).
- Registry modifications to the DisableAntiSpyware key outside of managed policy updates.
- Unusual regedit.exe execution chains where the parent process is a kernel driver service.
- Outbound network connections to known Akira command-and-control servers following a driver installation event.

For immediate hardening, security teams should:
- Block or strictly control the loading of rwdrv.sys and other drivers known to be exploited in BYOVD attacks. Windows Defender Application Control (WDAC) can enforce block rules for specific file hashes or certificate thumbprints.
- Enable Attack Surface Reduction (ASR) rules that block abuse of legitimate utilities like regedit.exe from remote or unsigned processes.
- Deploy Microsoft’s recommended driver blocklist (enabled by default in Windows 11) and consider hypervisor-protected code integrity (HVCI) to prevent unsigned driver loading.
- Monitor for abnormal service creation, especially those referencing drivers commonly installed by third-party tuning tools.
- Ensure that tamper protection for Microsoft Defender is enabled; while the attacker modifies Registry settings, tamper protection may still block such changes if properly configured.

The Bigger Picture: BYOVD Attacks on the Rise

The Akira incident is far from isolated. Over the past 18 months, researchers have documented a dramatic increase in BYOVD-based attacks, with threat actors abusing legitimate drivers from Gigabyte, ASUS, MSI, and even Microsoft itself. In each case, the goal is the same: leverage a signed driver to disable security products, terminate protected processes, or load rootkits.

What makes rwdrv.sys particularly dangerous is its association with enthusiast software. Unlike server management drivers that might only appear in data centers, ThrottleStop and similar tools are installed on a wide range of consumer and corporate laptops, especially among power users and developers. This broad installation base provides attackers with a large pool of potential targets.

The economics of BYOVD attacks also favor criminals. Instead of investing in expensive zero-day exploits, attackers can rely on known but unrevoked vulnerable drivers that are freely available. The barrier to entry is low: once a vulnerable driver is identified, weaponizing it requires moderate technical skill but produces highly reliable, repeatable results.

Microsoft’s Response and Remaining Gaps

Microsoft has implemented several platform-level defenses that mitigate BYOVD risks, particularly on Windows 11. The operating system now includes a driver blocklist that is updated via Windows Update, and features like Memory Integrity (HVCI) prevent the loading of any driver that does not meet strict code signing requirements. However, rwdrv.sys is not currently on that blocklist, likely because it is still actively maintained and used by legitimate software.

The company has also worked with partners like GuidePoint Security to distribute detection signatures through Microsoft Defender and other security solutions. Yet, the fundamental design of Windows allows a signed driver to request kernel access unless explicitly blocked. Critics argue that more aggressive certificate revocation or forced driver isolation techniques—such as always running such drivers in user mode—are needed to close this class of vulnerability permanently.

Intel has not issued a public statement regarding the abuse of rwdrv.sys, though the company has historically updated drivers to address security issues when they are responsibly disclosed. The challenge is that the vulnerability is not a bug in the driver itself but rather an abuse of its legitimate functionality. Design changes that limit hardware access from kernel mode could break compatibility with existing tools, creating a delicate balancing act for vendors.

What Should Users and IT Administrators Do Right Now?

For home users, the immediate priority is to verify the origin of any system tuning utilities. ThrottleStop and similar tools should only be downloaded from the developer’s official website or reputable repositories. If you have installed such software recently, check the driver’s file location and digital signature through Device Manager or PowerShell. Any indication of tampering warrants an immediate offline scan with an alternative antimalware tool.

Regular backups remain the most effective defense against ransomware. An offline, air-gapped backup cannot be encrypted by an attacker even if they successfully disable antivirus protections. Windows 11’s built-in backup tools, including File History and OneDrive ransomware detection, offer additional layers of resilience.

For enterprise IT teams, the attack highlights the urgent need to move beyond default trust models. Application control policies should whitelist only approved drivers, and all signed drivers should be audited periodically. Security operations centers (SOCs) should incorporate the YARA rules and IoCs provided by GuidePoint Security into their SIEM and EDR platforms. Proactive threat hunting for the specific service names and registry modifications described in the campaign may uncover ongoing intrusions.

Training remains essential. Employees should be reminded that even legitimate-looking software can be weaponized when delivered through unexpected channels. The social engineering aspect of these attacks—fake download pages, spear-phishing emails, and malicious search engine ads—often determines success or failure.

The Road Ahead: Hardening Windows Against Kernel-Level Threats

The security industry is moving toward stronger driver isolation, with Microsoft leading initiatives like the Windows Hardware Dev Center’s attestation signing and the introduction of driver frameworks that restrict kernel access. However, full protection requires a combination of technical controls and policy enforcement that many organizations have yet to adopt.

Hypervisor-protected Code Integrity (HVCI), for instance, is effective but incompatible with some older hardware and drivers, leading to slower adoption in certain environments. Improved driver blocklist reactivity—where newly abused drivers are quickly added and distributed—could significantly reduce the window of opportunity for attackers. There are also calls for Windows to introduce a “kernel protection mode” that sandboxes even signed drivers unless they are specifically exempted by policy.

Collaboration between silicon vendors, OEMs, and independent tool developers is critical. Intel could reevaluate whether a kernel-mode driver is strictly necessary for CPU tuning tasks, or whether a user-mode companion library with tighter access controls could provide equivalent functionality. Meanwhile, security researchers will continue to uncover and disclose driver vulnerabilities, hopefully prompting faster industry-wide remediation.

The Akira ransomware’s use of rwdrv.sys is a stark reminder that trust in the digital supply chain must be continuously verified. Until operating systems enforce stronger boundaries between legitimate kernel drivers and the security software they can override, determined attackers will keep finding ways to exploit that gap. Vigilance, layered defenses, and a healthy dose of skepticism toward every piece of installed code remain the best weapons against this evolving threat.