Hackers Exploit Legitimate Intel Drivers to Disable Windows Defender Remotely

Cybercriminals have devised a sophisticated method to deactivate Microsoft Defender remotely by abusing trusted Intel CPU drivers. Since mid-2025, this technique has been actively employed in ransomware campaigns, highlighting a growing threat to Windows security.

How Attackers Bypass Windows Security Measures

The attack leverages a legitimate Intel CPU tuning driver, rwdrv.sys, associated with performance software like ThrottleStop. Hackers load this driver onto compromised systems to gain kernel-level access, then deploy a secondary malicious driver, hlpdrv.sys. This malicious component manipulates system registry settings to disable Microsoft Defender, effectively turning off the primary defense against malware.

By disabling Defender, attackers can execute malicious activities undetected—ranging from data theft to deploying ransomware—without triggering usual security alerts. This method exploits the trusting design of Windows drivers, which are often granted deep hardware access without strict verification, making it a potent tool for malicious actors.

Broader Impact and Related Attacks

The Akira ransomware group, known for its advanced tactics, is primarily responsible for this exploitation. Besides targeting Windows systems, Akira has been linked to attacks on SonicWall VPN devices, exploiting CVE-2024-40766. Security experts recommend immediate measures: restrict VPN access, enable multi-factor authentication, and disable unused accounts to mitigate risks.

This group’s operations often involve data exfiltration, establishing covert remote access, and deploying ransomware. Increasingly, attackers are also using fake or lookalike websites to distribute malicious drivers and tools, emphasizing the importance of vigilant cybersecurity practices.

Protecting Your Systems from Advanced Threats

To counteract these sophisticated attacks, cybersecurity professionals advise maintaining updated systems and deploying comprehensive antivirus solutions. Real-time protection, kernel monitoring, and regular software updates are essential to defend against exploitation of trusted drivers.

Users should avoid clicking on suspicious links or downloading files from unverified sources. Using reputable browsers with security features like Safe Browsing, and refraining from executing unknown scripts or commands, are simple yet effective measures to prevent infection.

Official Resources and Recommendations

For ongoing updates and detection tools, consult resources such as the official Microsoft Security Blog and trusted cybersecurity advisories. Regularly updating your operating system, browsers, and applications closes security gaps that malware could exploit.

Enabling two-factor authentication adds an extra security layer, making unauthorized access more difficult. Additionally, considering data removal services can help protect your privacy by removing personal information from online platforms, reducing targeted attacks based on leaked data.

While the threat of driver abuse remains significant, staying vigilant and implementing layered security measures are your best defenses against these evolving cyber threats. For more expert advice and the latest cybersecurity news, visit trusted sources like the official Microsoft Security Documentation.

Ethan Cole

Ethan Cole

I'm Ethan Cole, a tech journalist with a passion for uncovering the stories behind innovation. I write about emerging technologies, startups, and the digital trends shaping our future. Read me on x.com