Recent reports indicate that the Medusa ransomware-as-a-service (RaaS) group is employing a malicious driver named ABYSSWORKER in a sophisticated attack utilizing a bring your own vulnerable driver (BYOVD) strategy aimed at sabotaging anti-malware systems.
According to Elastic Security Labs, a recent incident involving Medusa ransomware utilized a loader that had been packed with HeartCrypt, a packer-as-a-service (PaaS) tool. The loader operates in conjunction with a revoked certificate-signed driver known as ABYSSWORKER, which targets and disables various endpoint detection and response (EDR) solutions.
“In our analysis, this loader was accompanied by ‘smuol.sys,’ which impersonates a legitimate CrowdStrike Falcon driver (‘CSAgent.sys’). Numerous traces of ABYSSWORKER have been found on the VirusTotal platform, with samples detected from August 2024 to February 2025. All samples are believed to be signed with likely stolen and revoked certificates from Chinese vendors,” Elastic stated in its report.
The signing of this malware gives it a deceptive layer of legitimacy, enabling it to bypass security measures quietly. It has been noted that this EDR-disabling driver was earlier identified by ConnectWise under a different name, “nbwdv.sys,” in January 2025.
Upon installation, ABYSSWORKER integrates itself by adding its process ID to a list of protected processes and monitors device I/O control requests. These requests are handled according to specific operational codes, allowing extensive file manipulation capabilities, such as process and driver termination.
Specific I/O control operations noted include enabling the driver with a certain password, loading kernel APIs, copying or deleting files, terminating system threads, and even rebooting the infected machine. Operation 0x222400 stands out for its ability to obscure security product alerts by removing notification callbacks, thus paralleling techniques used by other EDR-disabling tools such as EDRSandBlast and RealBlindingEDR.
These developments echo findings from Venak Security, which detailed how cyber actors exploited vulnerabilities in a legitimate kernel driver tied to Check Point’s ZoneAlarm antivirus software in a similar BYOVD fashion. This exploitation allowed for privilege escalation and the subsequent disabling of critical Windows security features.
Threat actors reportedly exploited this privilege to establish a persistent Remote Desktop Protocol (RDP) connection to affected systems, which facilitated continuous access. Following the incident, Check Point ensured that the vulnerabilities have been patched, indicating that affected users should update to the latest version of their software.
As businesses become increasingly reliant on technology, the emergence of sophisticated tools like ABYSSWORKER raises alarms regarding the efficacy of existing cybersecurity measures. Each incident highlights critical tactics as outlined by the MITRE ATT&CK framework, emphasizing the need for robust response strategies focused on initial access, persistence, and privilege escalation.
In a rapidly evolving threat landscape, organizations must remain vigilant and proactive in updating their defenses against such sophisticated attacks. Threat actors are refining their methodologies, indicating that robust, adaptive approaches are essential to thwarting advanced cybersecurity threats.
