The malefactors orchestrating the Medusa ransomware-as-a-service (RaaS) venture have been detected employing an insidious driver, christened ABYSSWORKER, as part of a bring-your-own-vulnerable-driver (BYOVD) stratagem engineered to incapacitate anti-malware defenses.
Elastic Security Labs divulged that a Medusa ransomware incursion was executed by deploying an encryptor through a loader enshrouded by a packer-as-a-service (PaaS) known as HeartCrypt.
According to the report, “this loader was disseminated in conjunction with a driver—signed with a now-revoked certificate—from a Chinese vendor, dubbed ABYSSWORKER. Once embedded within the target system, it proceeds to subdue various Endpoint Detection and Response (EDR) vendors.”
The implicated driver, identified as “smuol.sys,” surreptitiously emulates the bona fide CrowdStrike Falcon driver (“CSAgent.sys”). Numerous ABYSSWORKER manifestations have surfaced on VirusTotal between August 8, 2024, and February 25, 2025, with all specimens bearing signatures from ostensibly misappropriated and rescinded certificates linked to Chinese enterprises.
The signature’s legitimacy bestows a deceptive semblance of trustworthiness, facilitating its evasion of security protocols without arousing suspicion. Notably, this EDR-neutralizing driver had been previously chronicled by ConnectWise in January 2025 under the moniker “nbwdv.sys.”
Upon activation, ABYSSWORKER is contrived to incorporate the process ID into an array of globally safeguarded processes while vigilantly monitoring for device I/O control requests. These requests are then relayed to designated handlers, each calibrated to the corresponding I/O control code.
Elastic elucidated, “the handlers span an extensive gamut—from file manipulation to the termination of processes and drivers—furnishing a robust arsenal capable of exterminating or irrevocably disabling EDR frameworks.”
An excerpt of some notable I/O control codes is delineated below:
- 0x222080 – Initiates the driver with a cryptographic password: “7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X”
- 0x2220c0 – Loads indispensable kernel APIs
- 0x222184 – Facilitates file replication
- 0x222180 – Executes file eradication
- 0x222408 – Terminates system threads based on module designation
- 0x222400 – Excises notification callbacks by module nomenclature
- 0x222144 – Aborts processes by their unique identifiers
- 0x222140 – Ceases threads via their corresponding thread IDs
- 0x222084 – Deactivates malware functionalities
- 0x222664 – Instigates a system reboot
Of particular intrigue is the control code 0x222400, which serves to obfuscate security apparatuses by systematically purging all extant notification callbacks—a tactic reminiscent of those employed by EDR-silencing utilities such as EDRSandBlast and RealBlindingEDR.
These revelations complement an earlier exposé by Venak Security, which delineated how malefactors were subverting an ostensibly legitimate yet inherently vulnerable kernel driver affiliated with Check Point’s ZoneAlarm antivirus. This maneuver, a variant of a BYOVD attack, was crafted to procure escalated privileges and undermine intrinsic Windows security features such as Memory Integrity.
The ensuing elevated privileges were maliciously exploited to establish a Remote Desktop Protocol (RDP) conduit to the compromised systems, thereby ensuring enduring access. Check Point has since remedied the vulnerability.
A representative from the firm remarked, “Given that vsdatant.sys operates with escalated kernel prerogatives, adversaries exploited its frailties, circumventing security measures and antivirus deterrents, thereby seizing absolute dominion over the compromised endpoints. Once these defenses were neutralized, attackers could extract sensitive data, including user passwords and other critical credentials, paving the way for further nefarious endeavors.”
In a related development, the RansomHub (also known as Greenbottle and Cyclops) ransomware syndicate has been linked to the deployment of an erstwhile uncharted multi-functional backdoor, codenamed Betruger, by one of its affiliates.
This implant is endowed with attributes typically emblematic of malware that precedes a ransomware strike—capabilities such as screenshot capture, keylogging, network reconnaissance, privilege elevation, credential extraction, and covert data exfiltration to remote servers.
Broadcom-affiliated Symantec opined, “Betruger’s multifarious functionalities suggest its design was oriented towards minimizing the necessity for deploying numerous novel tools during a ransomware campaign, marking a divergence from conventional bespoke instruments developed by ransomware cohorts for data exfiltration.”
They further noted, “The incorporation of tailored malware beyond the conventional encrypting payloads remains an anomaly in ransomware stratagems. Predominantly, assailants exploit legitimate utilities, subsisting on indigenous system tools, and resorting to publicly accessible malware such as Mimikatz and Cobalt Strike.”
