A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack began with a valid RDP credential, followed by lateral movement using pass-the-hash techniques. The AV killer, consisting of ThrottleBlood.sys and All.exe, exploits a vulnerability (CVE-2025-7771) in the legitimate ThrottleStop driver to disable system defenses. The malware targets multiple antivirus processes from various vendors, using kernel function hijacking to terminate them. Victims have been identified primarily in Russia, Belarus, Kazakhstan, Ukraine, and Brazil. Author: AlienVault
Related Tags:
kernel exploitation
cve-2025-7771
av killer
driver abuse
MedusaLocker
T1562.006
BYOVD
T1543.003
T1489
Associated Indicators:
53EC23E45303511066B478BC58E02DF108417D748BDBECC3BB55A881A26F90A4
C0979EC20B87084317D1BFA50405F7149C3B5C5F
0A15BE464A603B1EEBC61744DC60510CE169E135
EFF7919D5DE737D9A64F7528E86E3666051A49AA
D5A050C73346F01FC9AD767D345ED36C221BAAC2
DCAED7526CDA644A23DA542D01017D48D97C9533
987834891CEA821BCD3CE1F6D3E549282D38B8D3
F02DAF614109F39BABDCB6F8841DD6981E929D70
86A2A93A31E0151888C52DBBC8E33A7A3F4357DB