Overview
- Researchers identified a BYOVD tactic that uses the legitimate Intel CPU tuning driver rwdrv.sys for kernel access followed by a custom hlpdrv.sys module to disable Windows Defender policies
- The dual-driver sequence has featured in multiple Akira intrusions since July 15, 2025, with initial access gained through SonicWall SSLVPN vulnerabilities
- GuidePoint released YARA rules and indicators of compromise for both rwdrv.sys and hlpdrv.sys to enable proactive detection and retrospective threat hunting
- SonicWall updated guidance urging customers to restrict SSLVPN use, enforce multi-factor authentication, remove unused accounts and enable Botnet/Geo-IP protection
- Analyses show Akira’s broader kill chain employs the Bumblebee loader, data exfiltration tools and deploys its locker.exe ransomware payload roughly 44 hours after breach