A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack began with a valid RDP credential, followed by lateral movement using pass-the-hash techniques. The AV killer, consisting of ThrottleBlood.sys and All.exe, exploits a vulnerability (CVE-2025-7771) in the legitimate ThrottleStop driver to disable system defenses. The malware targets multiple antivirus processes from various vendors, using kernel function hijacking to terminate them. Victims have been identified primarily in Russia, Belarus, Kazakhstan, Ukraine, and Brazil.