Hackers found a way to turn off Windows Defender remotely
August 29, 2025 – Published on FOX News Online
Most modern Windows PCs rely on Microsoft Defender as their first line of defense against malware. Over the years, it has evolved into a capable and often underrated antivirus that blocks a wide range of threats. But a hacker group has found a way to abuse a legitimate Intel CPU tuning driver in a “Bring Your Own Vulnerable Driver” (BYOVD) attack to completely disable Microsoft Defender.
The technique has been observed since mid-July 2025 and is already being used in active ransomware campaigns. The method doesn’t rely on exploiting a software bug or delivering an obviously malicious file. Instead, it takes advantage of how the Windows driver system is designed to allow deep hardware access.
The Akira ransomware group has developed a new way to bypass security tools by using a legitimate Intel CPU tuning driver called rwdrv.sys from the performance-tweaking tool ThrottleStop. Cybersecurity experts from GuidePoint Security say attackers load this driver to gain kernel-level access to Windows systems, then install a second malicious driver, hlpdrv.sys, which changes the DisableAntiSpyware registry setting via regedit.exe to shut down Microsoft Defender.
Once Defender is disabled, attackers can run other malicious programs undetected. GuidePoint says this method has been consistently spotted in Akira campaigns since mid-July.
The same group has also been linked to attacks targeting SonicWall VPN devices. SonicWall has stated that these incidents likely involve a known vulnerability, CVE-2024-40766, rather than a brand-new zero-day. The company recommends restricting VPN access, enabling multi-factor authentication, and disabling unused accounts as immediate defenses.
Read More HERE.