GRITREP: Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Bottom-Line Up Front (BLUF): We have observed Akira affiliates exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting. In this report, we detail the observed drivers and provide a YARA rule based on associated strings, conditions, and imports. We advise defenders to hunt for the presence of these drivers, which date back to at least July 15, 2025.

Background: From late July through early August 2025, multiple security vendors have reported exploitation of SonicWall VPNs, leading to Akira ransomware deployment. SonicWall has acknowledged the reporting but has not yet disclosed any associated vulnerability. In response to this threat, SonicWall recommends that users:

• Disable SSLVPN services where practical
• Limit SSLVPN connectivity to trusted source IPs
• Enable Botnet protection, Geo-IP filtering, and other security services
• Enforce multi-factor authentication (MFA)
• Remove unused accounts
• Practice good password hygiene

Read on for our Full Report.

Full Report

From late July through early August 2025, multiple security vendors have reported exploitation of SonicWall VPNs leading to Akira ransomware deployment^(1,2,3). This body of reporting has assessed that this campaign may be driven in part by an unreported zero day in SonicWall VPNs, which we are neither able to confirm nor refute. SonicWall has acknowledged the reporting, but it has not disclosed any information regarding a new vulnerability.⁽⁴⁾

However, based on several GuidePoint Incident Response cases in recent months, we have detected the repeated use of two Windows drivers by Akira affiliates. These drivers have almost certainly been used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain.

The first driver, rwdrv.sys, is a legitimate driver for ThrottleStop. This Windows-based performance tuning and monitoring utility is primarily designed for Intel CPUs. It is often used to override CPU throttling mechanisms, improve performance, and monitor processor behavior in real time. We have observed Akira affiliates registering this driver as a service and we assess that this driver is used to gain kernel-level access to the impacted device.

The second driver, hlpdrv.sys, is similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware. The malware accomplishes this via execution of regedit.exe. Additional details are available for the file under its SHA256 hash, bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56, on commercial and open-source malware repositories. We assess that the legitimate rwdrv.sys driver may be used to enable the execution of the malicious hlpdrv.sys driver, though we have been unable to reproduce the exact mechanism of action at this time.

We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting. We are also providing a YARA rule below. This can help facilitate detection of the malicious hlpdrv.sys driver based on associated strings, conditions, and imports.

Pending additional information and identification of any underlying vulnerabilities, we strongly advise defenders to harden any SonicWall VPN in their environment, including by applying the following recommended mitigations from SonicWall:

• Disable SSLVPN services where practical
• Limit SSLVPN connectivity to trusted source IPs
• Enable Botnet protection, Geo-IP filtering, and other security services
• Enforce multi-factor authentication (MFA)
• Remove unused accounts
• Practice good password hygiene

Review of logs and application of YARA rules for the above drivers may aid defenders in identifying and responding to pre-ransomware activity, or in the incident response process.

YARA Rule – hlpdrv.sys driver

import "pe"

rule hlpdrv_sys_driver_malware
{
    meta:
        author = "GuidePoint Research and Intelligence Team"
        date = "2025-08-05"
        family = "BYOVD / hlpdrv.sys"
        description = "Detects malicious hlpdrv.sys driver using PE layout, imports, and strings"
        sha256 = "bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56" 

    strings:
        $filename = "hlpdrv.sys" ascii nocase
        $svc = "HlpDrv" wide ascii
        $device = "\\Device\\KMHLPDRV" wide ascii
        $link = "\\DosDevices\\KMHLPDRV" wide ascii
        $reg = "SYSTEM\\CurrentControlSet\\Services\\HlpDrv" wide
        $pdb = "hlpdrv.pdb" ascii 

    condition:
        // Validate PE file and size
        uint16(0) == 0x5A4D and
        pe.is_pe and
        filesize < 100KB and 

        // Section layout checks
        pe.number_of_sections == 6 and
        pe.sections[0].name == ".text" and    
        pe.sections[1].name == ".rdata" and   
        pe.sections[2].name == ".data" and  
        pe.sections[3].name == ".pdata" and  
        pe.sections[4].name == "INIT" and 
        pe.sections[5].name == ".reloc" and   

        // Require at least 7 of 9 imports
        (7 of (
            pe.imports("ntoskrnl.exe", "ZwSetSecurityObject"),
            pe.imports("ntoskrnl.exe", "ZwTerminateProcess"),
            pe.imports("ntoskrnl.exe", "RtlCreateSecurityDescription"),
            pe.imports("ntoskrnl.exe", "RtlSetDaclSecurityDescription"),
            pe.imports("ntoskrnl.exe", "IoCreateSymbolicLink"),
            pe.imports("ntoskrnl.exe", "IoDeleteDevice"),
            pe.imports("ntoskrnl.exe", "IoCreateDevice"),
            pe.imports("ntoskrnl.exe", "PsProcessType"),
            pe.imports("ntoskrnl.exe", "PsLookupProcessByProcessId")
        )) and

        // Require at least 3 unique artifact strings
        3 of ($filename, $svc, $device, $link, $reg, $pdb)
}

Indicators Of Compromise (IOCs)

Value	IOC
bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56	SHA256 Hash; hlpdrv.sys
16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0	SHA256 Hash; rwdrv.sys
Users\REDACTED\AppData\Local\Temp\hlpdrv.sys	Observed file path for hlpdrv.sys
Users\REDACTED\AppData\Local\Temp\rwdrv.sys	Observed file path for rwdrv.sys
Service “mgdsrv” registered – C:\Users\REDACTED\AppData\Local\Temp\rwdrv.sys	Service creation for rwdrv.sys
Service “KMHLPSVC” registered – C:\Users\REDACTED\AppData\Local\Temp\hlpdrv.sys	Service creation for hlpdrv.sys

---

(1) Huntress, Huntress Threat Advisory: Active Exploitation of SonicWall VPNs

(2) Arctic Wolf, Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN

(3) Truesec, Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN

(4) SonicWall, Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity