Hackers exploit Intel driver to disable Windows Defender

A hacker group has discovered a clever method to disable Windows Defender by exploiting a legitimate Intel driver. This technique, known as a "Bring Your Own Vulnerable Driver" (BYOVD) attack, has been active since mid-July 2025 and is being used in ransomware campaigns.

How the Attack Works

1. Exploiting a Legitimate Driver

   • The attackers use a driver from Intel's ThrottleStop, a performance-tweaking tool, to gain deep system access.
   • Once access is obtained, they install a second driver that disables Microsoft Defender by modifying a Windows registry setting.

2. A Sneaky Approach

   • Unlike traditional attacks that exploit software bugs or deliver malicious files, this method abuses the design of the Windows driver system.
   • Since the driver is from a trusted source, Windows allows it to run without raising suspicions.

Broader Implications

• The attack highlights a flaw in how Windows trusts certain tools, allowing legitimate drivers to be weaponized.
• The same group has also been linked to attacks on SonicWall VPN devices, likely exploiting a known vulnerability rather than a zero-day flaw.

Recommended Defenses

• Restrict VPN access
• Enable multi-factor authentication (MFA)
• Disable unused accounts
• Monitor for suspicious activity
• Apply filtering and blocking rules
• Download software only from official or verified sources

Staying Safe

While this attack is dangerous, users can protect themselves by:

• Using strong antivirus software
• Avoiding shady links
• Not running unexpected commands
• Keeping software updated
• Using two-factor authentication
• Investing in personal data removal services