Interlock ransomware operators have been observed using a new process‑killing tool that abuses a zero‑day flaw in a gaming anti‑cheat kernel driver to try to shut down endpoint defenses (EDR/AV).
The activity was documented during an intrusion against a North America–based education organization and shows Interlock continuing to evolve its internal tooling rather than relying on a RaaS ecosystem.
In the investigated case, initial access was tied to MintLoader activity on an end user system, followed by delivery of a legitimate Node.js runtime used to execute malicious JavaScript implants.
JavaScript stages align with reporting on “NodeSnakeRAT” and later “Interlock RAT,” which the operators used for persistence, discovery, and remote control (SOCKS5 proxy and command execution).
As the intrusion progressed, the actor also deployed ScreenConnect for GUI-based access and used common admin tradecraft (RDP, firewall allow rules) to move through the environment.
Interlock Ransomware Campaign
The standout development is a new bring‑your‑own‑vulnerable‑driver (BYOVD) tool, observed as a DLL (polers.dll) that FortiGuard IR refers to as “Hotta Killer.”
Indicators associated with the early stage of this intrusion directly correlate with those from a campaign reported by the eSentire Threat Response Unit in July this year, and with parts of the Interlock malware ecosystem previously reported by Mandiant.
The tool drops and installs a signed x64 kernel driver named UpdateCheckerX64.sys, which is a renamed anti‑cheat driver (originally GameDriverx64.sys) vulnerable to CVE‑2025‑61155.
Upon execution, the payload collects system information from the victim’s device by executing the ‘systeminfo’ command through PowerShell.
It creates a demand‑start kernel driver service via standard Windows APIs (OpenSCManagerW, CreateServiceW, StartServiceW), meaning the driver is registered like a kernel service rather than a typical user‑mode program.
Once loaded, the tool parses a command‑line keyword (for example “Forti”), turns it into a target pattern (such as Forti.exe), enumerates running processes, and extracts the PID of a match.
It then passes that PID to the driver using a device interface and calls DeviceIoControl, where the driver validates an IOCTL (0x222040) and a magic flag (0xFA123456) before calling ZwTerminateProcess to kill the selected process.
Mitigations
Operators attempted to keep the killer running using looped execution (a watchdog-like pattern), aiming to suppress security tooling during later ransomware stages continuously.
Defender takeaways include hunting for unexpected kernel driver installations, suspicious service creation tied to new .sys files, and BYOVD telemetry that matches defense‑evasion attempts during hands‑on‑keyboard ransomware preparation.
FortiGuard notes the tool is best described as an elevated process killer (not a “silver bullet” EDR bypass), and in this incident it did not fully disrupt the targeted Fortinet software’s operation.
Still, the technique matters because anti‑cheat drivers have a history of being repurposed by ransomware actors to gain kernel‑level leverage over defensive processes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.