
Threat actors behind the Medusa Ransomware-as-a-Service (RaaS) operation have begun deploying a malicious driver known as ABYSSWORKER as part of a Bring Your Own Vulnerable Driver (BYOVD) campaign. The objective is to disable antivirus and Endpoint Detection and Response (EDR) systems on compromised machines. Researchers at Elastic Security Labs uncovered an attack involving a loader obfuscated via the HeartCrypt packer, which installed a malicious driver signed with a revoked certificate from a Chinese vendor. The driver impersonated a legitimate Falcon driver from CrowdStrike.
The identified driver, named smuol.sys, bore a close resemblance to CrowdStrike’s CSAgent.sys. VirusTotal has logged dozens of ABYSSWORKER samples between August 2024 and late February 2025. All were signed using revoked, and likely stolen, certificates issued to Chinese companies, allowing the malware to masquerade as trusted software and evade security controls.
Upon analysis, the driver was found to register a process ID in the protected list and monitor I/O requests routed via internal control codes. This functionality allows it to manipulate files, processes, and other drivers—terminating or deleting them at will, including fully disabling security mechanisms.
Of particular interest to researchers was the control code 0x222400, which can remove system callback functions based on module names—a critical method for suppressing antivirus activity. Similar techniques have been observed in other EDR-disabling malware such as EDRSandBlast and RealBlindingEDR. ABYSSWORKER also supports machine restarts, API loading, file deletion, and termination of system threads.
Simultaneously, Venak Security reported exploitation of a separate vulnerability in the ZoneAlarm driver from Check Point. In this case, attackers used an outdated driver, vsdatant.sys, which operates with elevated kernel-level privileges. By exploiting the flaw, adversaries were able to bypass Windows protections—disabling Memory Integrity—and subsequently gain remote access via RDP, enabling data exfiltration.
According to Check Point, the vulnerable driver has long been deprecated, and current versions of ZoneAlarm and Harmony Endpoint are not affected by the described attack. The company assured that all releases from the past eight years are protected against such BYOVD exploitation.
These incidents underscore a growing trend among threat groups toward leveraging custom-built tools and privileged drivers. Such capabilities not only allow stealthy infiltration of secure environments but also enable the precise and systematic dismantling of detection and defense mechanisms with surgical stealth.