The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools.
Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt.
"This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," the company said in a report.
The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked certificates from Chinese companies.
The fact that the malware is also signed gives it a veneer of trust and allows it to bypass security systems without attracting any attention. It's worth noting that the endpoint detection and response (EDR)-killing driver was previously documented by ConnectWise in January 2025 under the name "nbwdv.sys."
Once initialized and launched, ABYSSWORKER is designed to add the process ID to a list of global protected processes and listen for incoming device I/O control requests, which are then dispatched to appropriate handlers based on I/O control code.
"These handlers cover a wide range of operations, from file manipulation to process and driver termination, providing a comprehensive toolset that can be used to terminate or permanently disable EDR systems," Elastic said.
The list of some of the I/O control codes is below -
0x222080 - Enable the driver by sending a password "7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X"0x2220c0 - Load necessary kernel APIs0x222184 - Copy file0x222180 - Delete file0x222408 - Kill system threads by module name0x222400 - Remove notification callbacks by module name0x2220c0 - Load API0x222144 - Terminate process by their process ID0x222140 - Terminate thread by their thread ID0x222084 - Disable malware0x222664 - Reboot the machineOf particular interest is 0x222400, which can be used to blind security products by searching and removing all registered notification callbacks, an approach also adopted by other EDR-killing tools like EDRSandBlast and RealBlindingEDR.