Endpoint detection and response (EDR) tools are the first line of defense against malware on modern networks. They monitor system activity in real-time, flag suspicious behavior, and help security teams contain threats before they spread. But attackers have found a way to strike at the heart of these systems by turning the operating system against itself.
A growing number of cybercriminal groups are exploiting vulnerabilities in signed drivers or creating their own malicious versions to run code at the kernel level. Once there, they can bypass security controls, disable defenses, and quietly carry out attacks without triggering alarms.
One of the latest examples is AbyssWorker, a malicious driver that helps deploy MEDUSA ransomware. It’s signed with a revoked certificate from a Chinese vendor and engineered to manipulate low-level Windows functions to disable EDR tools.
AbyssWorker Unmasked
AbyssWorker first surfaced in reports from ConnectWise in late 2023, flagged as part of an attack chain delivering the MEDUSA ransomware. But it wasn’t until Elastic Security Labs took a closer look that the full scope of its capabilities came into focus.
According to Elastic’s analysis, the malware arrives in stages. It begins with a loader packed with the Heartcrypt crypter, which helps it avoid detection. That loader then drops the AbyssWorker driver, which disables security tools and clears a path for the final payload.
By the time the ransomware is deployed, endpoint defenses have been neutralized. What makes AbyssWorker especially dangerous is its ability to actively disable protections, giving ransomware free rein to encrypt files, demand payment, and lock down systems.
Technical Deep Dive: AbyssWorker's Malicious Capabilities
Ordinarily, Windows would block drivers signed with expired or revoked certificates. But the attackers sidestepped this by disabling the Windows Time Service and backdating the system clock to 2012, tricking the OS into accepting the certificate as valid. This allows the driver to masquerade as legitimate and run unchecked.
Once loaded, AbyssWorker sets up its defenses. It protects itself during initialization, making it harder for analysts or automated tools to tamper with it. Then, it starts stripping handles from key processes, cutting off the ability of security tools to monitor or interfere with its activity.
From there, it gets more aggressive. The driver terminates processes tied to endpoint security, manipulates files and processes, removes user-mode hooks, and loads APIs directly from disk to avoid triggering alarms. In some cases, it forces a system reboot to keep security tools permanently disabled.
Real-world Impact: Medusa Ransomware
AbyssWorker is a tool built for profit. Disabling defenses before the ransomware hits increases the odds that the attack will succeed and that victims will pay.
That’s a serious threat to businesses and critical infrastructure. With defenses neutralized, attackers can lock systems and bring operations to a halt. Recovery becomes more complex and costly, especially when backups are targeted or unavailable.
What makes remediation harder is how well AbyssWorker hides. Its ability to operate at the kernel level and strip away monitoring hooks means traditional detection tools may not see it coming.
“The Medusa malware is living up to its name, finding new ways to infect hosts even after one method has been blocked. ... Security teams should be on alert for any systems that have a time change and review end user permissions to prevent the user from stopping the time service,” said Thomas Richards, Principal Consultant at Black Duck.
Broader Trend: Cybercriminals "Bring Your Own Driver"
AbyssWorker is part of a larger trend that security researchers call “Bring Your Own Driver,” or BYODrv. Attackers bring a vulnerable or malicious driver with them, load it into the system, and use it to disable security controls or gain elevated access.
In some cases, they use legitimate drivers with known flaws. In others, they sign their own drivers using stolen or expired certificates. Either way, attackers get kernel-level privileges and bypass protections.
Similar techniques have been used in campaigns involving drivers like FiveSys and Netfilter—trusted at one time but later repurposed for malicious use. The BYODrv tactic is gaining popularity because it’s effective, and most endpoint tools aren’t designed to catch threats while operating this deep in the system.
Industry Response and Challenges
The security industry is aware of the threat, but defending against it is another story. Most endpoint tools operate at the user level, while drivers like AbyssWorker run at the kernel level, giving attackers a built-in advantage.
Traditional antivirus and EDR solutions often miss these threats because the driver looks legitimate or uses a real certificate. Even when suspicious behavior is logged, it may be buried under routine system noise.
“Security teams must acknowledge that attackers increasingly utilize kernel-level access to shut down defenses, said Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “This calls for a defense-in-depth strategy that transcends conventional endpoint protection.”
Defensive Strategies and Recommendations
Stopping threats like AbyssWorker starts with enforcing driver integrity and certificate validation. Systems should reject drivers signed with expired or revoked certificates, and those checks shouldn’t be disabled for convenience.
“Monitoring, logging, and detection of system configuration changes—in this case, the system time changes—are the pillar where the whole system failed,” said Boris Cipot, Senior Security Engineer at Black Duck. He recommends combining strong endpoint protection with strict policy enforcement and system-level safeguards like secure boot, code integrity policies, and Microsoft’s driver blocklist.
Finally, security vendors and OS providers need to work together to tighten driver controls and improve visibility into low-level system behavior. That collaboration is key to closing the gap threats like AbyssWorker exploit.
Navigating the Abyss
AbyssWorker is a reminder that attackers are going deeper—past application-level defenses and straight into the kernel. Abusing outdated certificates and manipulating system functions disables the tools meant to stop it. Once inside, it clears the path for ransomware to do maximum damage.
This is part of a larger shift toward driver-based attacks that exploit blind spots in endpoint security. As long as kernel-level defenses remain misconfigured or inactive, these tactics will keep working.
Security teams need to act. That means enforcing strict driver policies, enabling built-in protections, and expanding monitoring to catch subtle signs of compromise. It also means rethinking long-term security architecture because attackers aren’t staying at the surface, and defenders can’t either.
