Cybercriminals are utilizing legitimate drivers to disable antivirus programs and weaken the security measures of a system.

In a sophisticated campaign first observed in October 2024, attackers have begun leveraging a legitimate driver to disable antivirus software across compromised networks. By abusing the ThrottleStop.sys driver—originally designed by TechPowerUp to manage CPU throttling—the malware gains kernel-level memory access to terminate security processes at will. Initial access is most often achieved through stolen RDP credentials or brute-forced administrative accounts, allowing the adversary to deploy the AV killer alongside ransomware payloads such as MedusaLocker. Securelist analysts noted that once inside the network, threat actors extract additional user credentials with tools like Mimikatz and move laterally using Pass-the-Hash techniques via Invoke-WMIExec.ps1 or Invoke-SMBExec.ps1. Following lateral movement, the attacker uploads two core artifacts—ThrottleBlood.sys (the renamed vulnerable driver) and All.exe (the AV killer)—to user directories such as C:UsersAdministratorMusic. Windows Defender and other endpoint protection platforms initially contain the ransomware, but the AV killer swiftly terminates their processes, leaving systems defenseless. The malware’s impact has been severe, particularly in industries with exposed RDP endpoints. Victims in Brazil, Ukraine, Kazakhstan, Belarus, and Russia have reported widespread encryption of critical data, with recovery efforts hampered by disabled defence mechanisms.

At the heart of this AV killer lies the exploitation of two vulnerable IOCTL functions in the ThrottleStop.sys driver, which permit arbitrary physical memory reads and writes. After loading ThrottleBlood.sys through the Service Control Manager API, the malware invokes NtQuerySystemInformation with the SystemModuleInformation flag to enumerate loaded modules and locate the kernel base address. Using a SuperFetch-based translation library, it converts the virtual address of NtAddAtom into a physical address. Once the physical address is derived, All.exe writes a tiny shellcode stub that jumps to arbitrary kernel functions like PsTerminateProcess. In a continuous loop, the malware enumerates processes with Process32FirstW and Process32NextW, matching each against a hardcoded list. Securelist researchers identified that traditional self-defence features in Kaspersky products—such as memory process protection and registry change monitoring—effectively counter this AV killer, but many organisations remain reliant on less resilient solutions.