ThrottleStop driver abused to terminate AV processes

Aug. 6, 2025, 5:04 p.m.

Description

A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack began with a valid RDP credential, followed by lateral movement using pass-the-hash techniques. The AV killer, consisting of ThrottleBlood.sys and All.exe, exploits a vulnerability (CVE-2025-7771) in the legitimate ThrottleStop driver to disable system defenses. The malware targets multiple antivirus processes from various vendors, using kernel function hijacking to terminate them. Victims have been identified primarily in Russia, Belarus, Kazakhstan, Ukraine, and Brazil.

External References

https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/
https://otx.alienvault.com/pulse/689349c2abe26c934858988e
Tags
ransomware
byovd
medusalocker
kernel exploitation
2025-08-06
CVE-2025-7771
driver abuse
av killer
throttlestop

Date

  • Created: Aug. 6, 2025, 12:25 p.m.
  • Published: Aug. 6, 2025, 12:25 p.m.
  • Modified: Aug. 6, 2025, 5:04 p.m.

Attack Patterns

  • MedusaLocker

Additional Informations

  • Belarus
  • Kazakhstan
  • Ukraine
  • Brazil
  • Russian Federation