Driver of Destruction: How a Legitimate Driver Is Being Used To Take Down AV Processes

A new AV‑killer malware, active since at least October 2024, exploits a legitimate, digitally‑signed driver originally known as ThrottleStop.sys, now renamed ThrottleBlood.sys, using a technique called BYOVD (Bring Your Own Vulnerable Driver) to bypass system defenses. The driver exposes unprotected IOCTLs that allow arbitrary physical memory access via MmMapIoSpace, enabling attackers with admin rights to escalate into kernel-level read/write. When loaded, the AV‑killer binary (All.exe) leverages this flaw to inject shellcode that invokes kernel functions such as PsTerminateProcess, directly terminating AV/EDR processes. Targeted products include Microsoft Defender, Kaspersky, Avast, McAfee, CrowdStrike, ESET, Sophos, Symantec, and others, with process names hardcoded for rapid enumeration and kill attempts. By operating in kernel space, the malware bypasses common self-protection and user-mode monitoring, giving adversaries an efficient method to neutralize endpoint defenses.

In the investigated campaign, threat actors obtained initial access via valid RDP credentials on an SMTP server, then escalated privileges using Mimikatz and pass‑the‑hash lateral movement techniques. The threat actors then deployed both the vulnerable driver and All.exe, to disable security software before executing MedusaLocker ransomware. While some AV platforms, such as Kaspersky Endpoint Security withstood termination attempts due to strong self-defense features, most organizations suffered large-scale endpoint encryption after AV/EDR shutdown. The vulnerability that enabled the AV bypass, CVE‑2025‑7771, has since been reported, and the vendor is working on a patch.