Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsInterlock Ransomware Exploits Zero-Day in Gaming Anti-Cheat Driver to Disable EDR, AV
Interlock Ransomware Exploits Zero-Day in Gaming Anti-Cheat Driver to Disable EDR, AV
Cybersecurity

Interlock Ransomware Exploits Zero-Day in Gaming Anti-Cheat Driver to Disable EDR, AV

•February 4, 2026
0
GBHackers On Security
GBHackers On Security•Feb 4, 2026

Companies Mentioned

Fortinet

Fortinet

FTNT

eSentire

eSentire

Mandiant

Mandiant

Why It Matters

By achieving kernel‑level process termination, Interlock can temporarily blind endpoint detection and response tools, increasing the likelihood of successful ransomware deployment. The technique highlights the risk of repurposing legitimate anti‑cheat drivers, prompting urgent patching and monitoring across the gaming and enterprise sectors.

Key Takeaways

  • •Interlock exploits anti‑cheat driver CVE‑2025‑61155
  • •Hotta Killer BYOVD tool disables EDR and AV
  • •Signed kernel driver installed via standard Windows service APIs
  • •Process killer targets Forti.exe using DeviceIoControl IOCTL
  • •Detect by hunting unexpected .sys driver installations

Pulse Analysis

Ransomware groups are increasingly abandoning off‑the‑shelf RaaS kits in favor of bespoke toolchains that operate at the kernel level. Interlock’s latest campaign exemplifies this trend, leveraging a zero‑day in a popular gaming anti‑cheat driver to gain privileged access. The vulnerability, identified as CVE‑2025‑61155, allows the threat actor to load a signed x64 driver—renamed UpdateCheckerX64.sys—onto victim machines. By embedding the exploit within a BYOVD (bring‑your‑own‑vulnerable‑driver) payload, the attackers sidestep traditional user‑mode defenses and position themselves to disrupt endpoint security components before encrypting data.

The core of the attack, dubbed Hotta Killer, creates a demand‑start service using standard Windows APIs (OpenSCManagerW, CreateServiceW, StartServiceW) and registers the malicious driver as a kernel service. Once active, the driver listens for specific IOCTL commands; when it receives a matching magic flag, it calls ZwTerminateProcess to terminate the target PID. In the observed intrusion, the tool zeroed in on processes like Forti.exe, effectively pausing the operation of Fortinet’s EDR suite. Although the driver did not fully cripple the security stack, the temporary blind spot afforded the ransomware operators a critical window to deploy encryption payloads and exfiltrate data.

Defenders must adapt by expanding their hunting playbooks to include anomalous .sys driver installations and unexpected service creations. Monitoring for unsigned or renamed drivers, especially those linked to gaming anti‑cheat software, can surface early indicators of compromise. Patch management remains essential; vendors of anti‑cheat drivers should accelerate remediation of CVE‑2025‑61155 and similar flaws. The broader implication is a call for tighter scrutiny of third‑party kernel drivers across enterprises, as attackers continue to weaponize legitimate software components to bypass traditional endpoint protections.

Interlock Ransomware Exploits Zero-Day in Gaming Anti-Cheat Driver to Disable EDR, AV

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...