Hackers Bypass Microsoft Defender Using Legitimate Drivers to Deploy Ransomware [2025]

Hackers have found new ways to get around Microsoft Defender and deliver ransomware on Windows PCs. They use a real driver, rwdrv.sys, which comes from a popular Intel CPU tuning tool called ThrottleStop. By taking advantage of this driver, attackers gain deep access to a system and can install a second, harmful driver to turn off Defender.

This method lets ransomware slip past what many people trust for protection. Attacks like these have been active since July, making it clear that relying only on built-in tools is not enough. Staying aware of these threats and keeping all security software updated is key for anyone looking to avoid costly data loss and downtime.

How Hackers Bypass Microsoft Defender Using Legitimate Drivers

Hackers use clever tactics to bypass Microsoft Defender by hijacking drivers that many users trust. One of the main ways attackers get around security is by misusing a legitimate Intel driver. This allows them to load a second, harmful driver that disables key protections and leaves a system open to ransomware. Understanding each part of this process helps users recognize how even well-known tools can become a weak point.

Exploiting rwdrv.sys from ThrottleStop

Attackers focus on rwdrv.sys, a driver from the ThrottleStop tool, which is widely used for Intel CPU tuning. Because this driver is signed and trusted by the system, Windows allows it to run with high-level (kernel) permissions. Hackers target these kinds of drivers because:

• Trusted Status: Windows treats legitimate drivers as safe, granting them deep access.
• Weaknesses in Older Versions: Some drivers, like rwdrv.sys, may have vulnerabilities that let hackers take full control of a PC.
• Low Suspicion: Security tools are less likely to flag activity from well-known drivers.

By exploiting rwdrv.sys, an attacker can gain the same privileges as the system’s core processes. This is like getting a master key to every room in a building, instead of just sneaking through a window. Once inside at this level, hackers can make changes that most antivirus tools can’t stop.

Loading a Malicious Driver to Disable Microsoft Defender

After gaining kernel-level access, the next step for hackers is to load their own malicious driver, often named hlpdrv.sys. With these deep privileges, this driver can make powerful changes to the Windows system that regular software cannot.

The malicious driver works by:

• Editing the Windows Registry: It modifies settings that control how Microsoft Defender operates.
• Turning Off Security Features: By changing registry values, it can disable real-time protection and other core defenses.
• Keeping Itself Hidden: Operating at the kernel level, the driver can block Defender from seeing or removing malicious files.

With Microsoft Defender out of the way, ransomware can launch without warning and encrypt files across the PC. This tactic has become more common since mid-2024, making it important for users to question the safety of even trusted drivers on their machines. For more context about the risks tied to technical vulnerabilities in widely used products, you can see the technical truth behind Shein’s packages, which highlights how even large brands can introduce hidden threats.

Staying ahead of these risks means using updated antivirus software, monitoring for strange system behavior, and being cautious about which drivers and tools are installed—even those from well-known vendors.

The Akira Ransomware Deployment Method

Akira ransomware uses a step-by-step chain to break through Microsoft Defender protections and gain control of a Windows PC. The attack takes advantage of trusted system components, turning legitimate drivers into attack tools. This method is not just clever—it’s a real threat for anyone who relies on default system security. Here’s how Akira ransomware gets in and takes over.

Step 1: Exploiting a Legitimate Intel Driver

The process starts with hackers targeting rwdrv.sys, a real driver from the Intel CPU tuning utility called ThrottleStop. This driver is signed and widely used, which makes it a low-profile target for attackers. When loaded, it has kernel-level access, giving the same power as the system itself.

• Why target rwdrv.sys?
  • It’s widely trusted and almost never flagged by security tools.
  • Vulnerabilities in older versions let hackers control the kernel.
  • Running as a system process, it gives access to sensitive parts of Windows.

With rwdrv.sys, attackers break through the normal barriers set by Windows, giving them unrestricted access to the PC’s core.

Step 2: Loading a Malicious Driver

Once inside, hackers use that unrestricted access to load their own harmful driver—often identified as hlpdrv.sys. Unlike the first driver, this one is designed to interfere directly with Microsoft Defender. It modifies system settings in the Windows Registry, quietly switching off real-time protection and other critical defenses.

Key actions of the malicious driver include:

• Registry tampering: It changes security settings in the Registry to weaken or disable Windows Defender.
• Disabling core defenses: By shutting down Defender’s real-time scanning, the system is left exposed.
• Staying unnoticed: Since it runs at the kernel level, it can stop Defender from detecting its presence or the changes it makes.

This “bring your own vulnerable driver” (BYOVD) approach is a growing strategy among attackers. It lets them slip past modern protections by hijacking tools users trust. For a deeper technical dive into BYOVD attacks and how they are used to evade security, check out the article on vulnerable driver attacks in real-world intrusions.

Step 3: Ransomware Deployment

With Defender shut down, there is little to stand in the way. Ransomware is deployed, often silently, and begins encrypting files across the PC. Since most users trust Microsoft Defender, they may not notice anything is wrong until files are already locked.

• Files are encrypted: Documents, photos, and other data become inaccessible.
• Ransom note is delivered: Users are told to pay up to unlock their files.
• Recovery is difficult: Without outside backups, restoring files is tough.

Understanding this method is key for anyone who manages Windows systems. The threat is not just theoretical—ransomware gangs have been using it effectively since mid-2024. Security experts recommend multiple layers of defense, not just relying on Microsoft’s built-in solutions. To better understand how attackers use signed drivers and kernel-level tricks to bypass security, see the discussion on modern kernel level attacks.

By breaking the process into these steps, you can see how Akira ransomware moves from exploiting trust in a harmless driver to taking total control over Windows Defender and, ultimately, your data.

Why This Bypass Is Dangerous for Windows Users

Hackers gaining kernel-level access to Windows systems can cause real harm, making this bypass of Microsoft Defender a serious threat. By exploiting trusted drivers, attackers move past standard security layers and can disable one of the last lines of defense for many users. This risk is not just about technical skill; it affects anyone who uses Windows for work, personal data, or business operations.

Direct Control Over System Defenses

When hackers exploit a vulnerable driver like rwdrv.sys, they gain control at the deepest level of the operating system. This lets them:

• Disable or alter core security features, like Microsoft Defender, without user approval.
• Install malicious drivers that remain hidden from most antivirus tools.
• Change registry settings to shut off real-time monitoring and block updates.

These steps allow ransomware or other malware to run freely. Users lose the ability to detect or stop attacks, even if they have Defender active.

Rapid Spread and Lasting Impact

Once a system’s main defenses are down, hackers can quickly deploy ransomware. This means files are encrypted before most users notice anything is wrong. The impact is wide:

• Important files, from photos to business documents, become inaccessible.
• Downtime disrupts both personal activities and company operations.
• Recovery can be expensive and slow, especially if backups are missing or outdated.

For organizations, this can mean lost revenue and damaged reputation. For individuals, it can mean losing personal memories and financial documents.

Exploitation of Trusted Software

This attack does not rely on fake software or obvious tricks. Hackers use a legitimate driver from a popular Intel tuning tool (ThrottleStop), which many users trust. By turning a trusted tool into a weakness, attackers catch users off guard. Even experienced IT teams may not spot the risk until it’s too late.

The trend of abusing legitimate tools to bypass security is growing. Attackers look for drivers and applications that offer deep system access, then exploit overlooked flaws. This approach bypasses most standard antivirus checks, making it harder for users to stay protected by default settings alone.

Threat to Multiple Systems

Because the driver used in this attack is popular and widely distributed, many Windows PCs could be at risk. Attackers do not need to invent new malware for every system; they use the same method across many targets. This makes the threat scalable and more dangerous than unique, targeted attacks.

Importance of Layered Security

Relying only on Microsoft Defender or any single tool leaves users exposed to this kind of attack. Layered security means:

• Keeping all software, especially drivers, updated to the latest versions.
• Using reputable third-party antivirus programs alongside built-in tools.
• Monitoring for unusual activity, such as new drivers being installed or system settings changing unexpectedly.

Security experts highlight the need for these extra steps to reduce the risk of modern ransomware. As driver abuse grows, trusting only default protections is no longer enough for safe computing.

For users interested in how other types of technology are being targeted and changed by new threats, the post on AI transforming spreadsheet workflows explores the risks and benefits of recent advances in productivity tools.

Best Practices to Defend Against Driver-Based Attacks

Driver-based attacks have become a clear risk for Windows users. Hackers use gaps in trusted software and drivers to break through defenses like Microsoft Defender. Simple habits and well-chosen tools will help lower your risk. These steps focus on closing the security gaps that attackers use most often.

Keep Antivirus Tools Updated

Attackers often use new tricks to bypass protection. Out-of-date antivirus tools miss these fresh threats, especially when hackers target trusted drivers. Always keep your antivirus software updated so it recognizes and blocks the latest attack methods.

• Updates add new malware definitions that can spot changes in how attacks work.
• Patches close security holes that hackers may use to take advantage of drivers.
• Many antivirus tools now scan for unusual driver activity, not just common viruses.

Set your antivirus to update itself every day, if possible. If you turn off automatic updates, check for new versions at least once a week. This is a simple step that stops many attacks before they start. For more info on why keeping antivirus up to date matters, you can see the detailed guide on how antivirus updates protect against ransomware.

Review Installed Drivers and Software

Old or unused drivers can be weak spots in your system. Hackers watch for drivers that are out of date or abandoned. These are easier to exploit, as seen with attacks using legitimate drivers like rwdrv.sys.

Take time each month to:

• Check which drivers and tools are on your PC.
• Remove drivers for devices you no longer use (old printers, webcams, or tools).
• Uninstall any software that you do not need or that is no longer supported by the maker.
• Update important drivers to their newest versions from trusted sources.

Most Windows PCs show installed drivers and software in the Device Manager and Apps settings. Be careful: never download drivers from unknown websites. Only use official sites or your device maker’s support page. Removing risky drivers is as important as updating your antivirus—both stop hackers from finding a way in.

Adopt a Zero-Trust Security Mindset

Zero-trust is a security model that treats every driver, tool, and request as a possible threat until it proves safe. This is not just for big companies—it works for home users, too.

Core zero-trust habits include:

• Always verify the source of any new software or driver.
• Do not assume built-in tools or well-known programs are safe by default.
• Use strong passwords and two-factor authentication where possible.
• Limit admin rights; only use them when you must make big changes.

By acting as if every part of your system could be misused, you close off the easy paths hackers use. Zero-trust means no shortcuts—always check, never assume. If you want to learn more about how zero-trust helps protect against ransomware and other modern threats, the NIST zero trust architecture guide gives a solid breakdown of the basics.

Following these steps will not stop every attack, but they make it much harder for hackers to succeed. Stay alert, keep your tools current, and treat every driver as a possible risk. These habits lower your exposure to the type of driver-based attacks now seen in the wild.

Conclusion

Hackers exploiting legitimate drivers to bypass Microsoft Defender expose a significant weakness in Windows security. By using trusted drivers like rwdrv.sys, attackers gain deep system access and disable Defender through malicious drivers. This method allows ransomware to operate undetected, putting users’ data and systems at serious risk.

Staying protected requires more than just relying on built-in defenses. Regularly updating antivirus software and monitoring driver activity are necessary steps to maintain strong security. For those looking to strengthen their defenses further, exploring AI cybersecurity apps for beginners offers practical advice on maintaining effective protection.

Remaining vigilant and informed is essential as threats continue to evolve. Prioritize layered security and keep software current to reduce exposure to these driver-based attacks. Your data depends on it.