BYOVD Attack: A New AV Killer Exploits a Legitimate Driver to Neutralize Defenses for MedusaLocker Ransomware

A recent incident response operation in Brazil has revealed a stealthy and destructive threat abusing the trusted architecture of the Windows kernel. In its latest analysis, Kaspersky Labs exposed a powerful AV killer that leverages the ThrottleStop.sys driver to disable antivirus defenses and pave the way for ransomware attacks—particularly MedusaLocker.

“We spotted intriguing new antivirus (AV) killer software that has been circulating in the wild since at least October 2024… as part of a technique known as BYOVD (Bring Your Own Vulnerable Driver),” the report states.

At the heart of this AV killer operation lies ThrottleStop.sys, a driver originally used by the legitimate application ThrottleStop, developed by TechPowerUp to fix CPU throttling issues.

Attackers repurposed the signed driver (SHA-256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0) to bypass kernel-mode protections. Kaspersky has since tracked this misuse under the identifier CVE-2025-7771.

“The driver exposes two vulnerable IOCTL functions: one that allows reading from memory and another that allows writing to it… which constitutes the core vulnerability.”

The operation starts with an attacker using valid RDP credentials to infiltrate a system—often an SMTP server—and escalate access using Mimikatz and pass-the-hash techniques via Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1.

“An interesting detail is that the attacker did not want to create the same username on every machine… they chose to add a sequential number to the end of each username (e.g., User1, User2…).”

Once inside, the attacker deploys two artifacts:

• ThrottleBlood.sys – the vulnerable driver
• All.exe – the actual AV killer tool

These were initially dropped into user directories like C:\Users\Administrator\Music and later spread to other endpoints.

Using Win32 DeviceIoControl calls, the malware communicates with the driver and uses it to:

Access physical memory through MmMapIoSpace

Locate and overwrite NtAddAtom, a rarely used syscall

Inject and execute kernel-mode shellcode to kill AV processes

“The AV killer starts a loop to find target processes… If any match, it kills them by using the vulnerable driver to call the PsLookupProcessById and PsTerminateProcess kernel functions.”

A comprehensive hardcoded list of target AV processes includes products from:

• Kaspersky
• Microsoft Defender
• Bitdefender
• CrowdStrike
• ESET
• Symantec
• McAfee
• Sophos
• SentinelOne
• …and more

“Like most antivirus software available today, Windows Defender will attempt to restart the service… However, the main loop of the program will continue to identify and kill the associated AV process.”

With antivirus solutions neutralized, the attacker deploys the final payload—a variant of MedusaLocker ransomware (detected as Trojan-Ransom.Win32.PaidMeme.*). This encrypts files across the network, completing the kill chain.

“The AV killer was able to disable the system’s defenses, allowing the attacker to move laterally across machines with ease.”

According to Kaspersky’s telemetry, victims have been located primarily in:

• Russia
• Belarus
• Ukraine
• Kazakhstan
• Brazil

Though the tool was used in a Brazilian MedusaLocker attack, the AV killer itself is common across many ransomware affiliates and threat actors.

Related Posts:

• Fake AV software steals device storage information and is actually two variants of Android RAT
• Microsoft removes the AV compatibility check for the March 2018 Windows security updates