Observed Malicious Driver Use Associated with Akira SonicWall Campaign
Essential information
- Published
- 08/08/2025 08:07
- Modified
- 10/08/2025 19:36
- Tags
- 2025-08-08 akira av/edr evasion byovd drivers ransomware sonicwall vpn zero-day
- Related entities
- 2 observables, 1 intrusion sets (apt), 1 techniques (mitre), 1 malware
Description
Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. This behavior has been prevalent in recent Akira ransomware incident response cases. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs. Defenders are advised to harden SonicWall VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre-ransomware activity.