Security researchers at GuidePoint Security have identified a sophisticated campaign where Akira ransomware affiliates are leveraging malicious drivers to evade antivirus and endpoint detection systems following the exploitation of SonicWall VPN devices.
The campaign, observed from late July through early August 2025, represents a concerning evolution in ransomware tactics that combines zero-day exploitation with Bring Your Own Vulnerable Driver (BYOVD) techniques.
SonicWall Zero-Day Exploitation Campaign
Multiple security vendors have reported active exploitation of SonicWall VPN infrastructure, with organizations including Huntress, Arctic Wolf, and Truesec documenting increased Akira ransomware activity targeting these devices.
While SonicWall has acknowledged the reports, no specific vulnerability has been officially disclosed, leading researchers to suspect an unreported zero-day exploit is being used for initial access.
The threat actors gain initial access through compromised SonicWall SSL VPN services before deploying two specific Windows drivers to maintain persistence and evade security controls.
SonicWall has recommended immediate defensive measures, including disabling SSL VPN services where practical, implementing multi-factor authentication, and enabling botnet protection with geo-IP filtering.
Malicious Driver Implementation and Detection
Researchers identified two critical drivers in the attack chain: rwdrv.sys and hlpdrv.sys.
The first, rwdrv.sys, is a legitimate driver from the ThrottleStop utility used for Intel CPU performance tuning, which attackers register as a service to gain kernel-level access.
The malicious hlpdrv.sys driver (SHA256: bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56) specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through regedit.exe execution.
GuidePoint Security has released a comprehensive YARA rule for detecting the hlpdrv.sys driver, which validates PE file structure, imports from ntoskrnl.exe, and specific artifact strings including device names like \\Device\\KMHLPDRV.
The rule requires at least seven of nine specific import functions and three unique artifact strings for accurate detection.
Organizations should immediately implement the recommended SonicWall hardening measures and deploy the provided YARA signatures for proactive threat hunting, as these drivers have been observed across multiple recent Akira ransomware incidents.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
