This Windows security attack can take down your antivirus

News
By published

After disabling your antivirus, attackers are installing miners and infostealers

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Hackers have found a way to disable certain antivirus programs on Windows devices, allowing them to deploy all sorts of malware on the target devices.

Cybersecurity researchers AhnLab Security observed two such attacks last year, where the attackers found two unpatched vulnerabilities in Sunlogin, a remote-control software built by a Chinese company, and used them to deploy an obfuscated PowerShell script that disables any security products the victims might have installed. 

The vulnerabilities being abused are tracked as CNVD-2022-10270 and CNVD-2022-03672. Both are remote code execution flaws found in Sunlogin v11.0.0.33 and earlier.

Abusing an anti-cheat driver

To abuse the flaws, the attackers used proofs-of-concept that were already released. The PowerShell script being deployed decodes a .NET portable executable - a tweaked Mhyprot2DrvControl open-source program that leverages vulnerable Windows drivers to gain privileges at kernel level.

This specific tool abuses mhyprot2.sys file, an anti-cheat driver for Genshin Impact, an action role-playing game. 

"Through a simple bypassing process, the malware can access the kernel area through mhyprot2.sys," the researchers said.

Read more

> Microsoft's own mistake may have left users at risk of malware attacks

> Installing gaming drivers might leave your PC vulnerable to cyberattacks

> Here's our take on the best endpoint protection right now

"The developer of Mhyprot2DrvControl provided multiple features that can be utilized with the privileges escalated through mhyprot2.sys. Among these, the threat actor used the feature which allows the force termination of processes to develop a malware that shuts down multiple anti-malware products."

After terminating security processes, the attackers are free to install whatever malware they please. Sometimes they would just open reverse shells, and other times they’d install Sliver, Gh0st RAT, or the XMRig cryptocurrency miner.

The method is known as BYOVD, or Bring Your Own Vulnerable Driver. Microsoft’s recommendation against these types of attacks is to enable the vulnerable driver blocklist, thus preventing the system from installing or running drivers that are known to be vulnerable.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
China
Chinese hackers develop effective new hacking technique to go after business networks
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
More about security
Google Chrome

Google Chrome security flaw could have let hackers spy on all your online habits
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Broadcom warns of worrying security flaws affecting VMware tools
A young woman is working on a laptop in a relaxed office space.

I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
See more latest
Most Popular
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
Render of a new RTX 4000 Max-Q gaming laptop.
I can't say I'm surprised, but Nvidia's RTX 5090 laptop GPU has a big performance leap over its predecessor, according to early benchmarks
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Apple Music on a tablet, showing a new Listening Guide feature
Apple Music Classical just got 3 excellent perks in its biggest upgrade since launch
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Quick move in Civ 7.
Sid Meier's Civilization 7 update 1.1.1 is here and it finally adds a setting that I've wanted since day one