Hackers exploit Intel driver to disable Windows Defender

A hacker group has found a clever way to disable Windows Defender using a legitimate Intel driver. This method, known as a "Bring Your Own Vulnerable Driver" (BYOVD) attack, has been active since mid-July 2025 and is being used in ransomware campaigns. The attackers use a driver from Intel's performance-tweaking tool, ThrottleStop, to gain deep access to the system. Once they have this access, they install a second driver that shuts down Microsoft Defender by changing a setting in the Windows registry. This attack is particularly sneaky because it doesn't rely on exploiting a software bug or delivering an obviously malicious file. Instead, it takes advantage of how the Windows driver system is designed to allow deep hardware access. The attackers are using a driver that is meant for harmless CPU tuning to turn off the security system. This shows a bigger flaw in how Windows trusts certain tools. Since the driver is from a legitimate source, Windows lets it through without asking questions. The same group behind this attack has also been linked to attacks targeting SonicWall VPN devices. These incidents likely involve a known vulnerability rather than a brand-new zero-day. The company recommends restricting VPN access, enabling multi-factor authentication, and disabling unused accounts as immediate defenses. Researchers have published detection rules and file information to help identify this activity. They recommend administrators actively monitor for these indicators, apply filtering and blocking rules as new IoCs emerge, and only download software from official or verified sources. While this attack is smart and dangerous, there are ways to stay safe. Using strong antivirus software, limiting exposure to shady links, avoiding running unexpected commands, keeping software updated, using two-factor authentication, and investing in personal data removal services can all help protect against this and similar threats.