ThrottleStop driver abused to terminate AV processes

SUMMARY :

A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack began with a valid RDP credential, followed by lateral movement using pass-the-hash techniques. The AV killer, consisting of ThrottleBlood.sys and All.exe, exploits a vulnerability (CVE-2025-7771) in the legitimate ThrottleStop driver to disable system defenses. The malware targets multiple antivirus processes from various vendors, using kernel function hijacking to terminate them. Victims have been identified primarily in Russia, Belarus, Kazakhstan, Ukraine, and Brazil.

OPENCTI LABELS :

ransomware,byovd,medusalocker,kernel exploitation,driver abuse,av killer,cve-2025-7771,throttlestop


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


ThrottleStop driver abused to terminate AV processes