216.73.217.98

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

· Published 08/08/2025 08:07 · Modified 10/08/2025 19:36

Export JSON

Essential information

Published
08/08/2025 08:07
Modified
10/08/2025 19:36
Tags
2025-08-08 akira av/edr evasion byovd drivers ransomware sonicwall vpn zero-day
Related entities
2 observables, 1 intrusion sets (apt), 1 techniques (mitre), 1 malware

Description

affiliates have been observed exploiting two common as part of a suspected effort following initial access involving abuse. The , rwdrv.sys and hlpdrv.sys, are being used to facilitate or disablement through a Bring Your Own Vulnerable Driver () exploitation chain. This behavior has been prevalent in recent incident response cases. The campaign may be driven by an unreported vulnerability in VPNs. Defenders are advised to harden VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre- activity.

External references