Kaspersky has discovered a vulnerability in ThrottleStop, a free tool used to control laptop processor performance, that has been exploited by the MedusaLocker ransomware operators during a recent attack on a Brazilian company. The attackers combined this flaw with a new variant of a known class of malware capable of lowering systems’ defenses. Kaspersky uncovered these findings during an incident investigation and has reported the vulnerability to the vendor. Kaspersky has also confirmed that its security solutions detect and block the malware.
ThrottleStop is freeware supported by TechPowerUp and is widely used by individual users who want more control over their Central Processing Unit (CPU) behavior – for example, to reduce heat and power consumption, or to achieve smoother performance on laptops.
Kaspersky’s
Global Emergency Response Team (GERT) experts discovered the vulnerability in
ThrottleStop during an attack investigation involving MedusaLocker ransomware.
It has been assigned the ID CVE-2025-7771. MedusaLocker ransomware was discovered in September 2019 and is
distributed under the Ransomware-as-a-Service scheme.
Kaspersky discovered that attackers used a new type of EDR-disabling malware[1] – a class of malicious software that is becoming increasingly common – and delivered it in a bundle with the vulnerable ThrottleStop.sys driver. In a series of technical actions, the vulnerability enabled attackers to run their malicious code in kernel mode, leading to privilege escalation, disabling the EDR in place and allowing them to activate the ransomware. The ultimate goal of the cybercriminals was to encrypt valuable files as part of their ransomware campaign.
“ThrottleStop is a consumer tool designed for personal laptops – corporations usually do not use it due to strict security policies. In the observed incident, the tool was delivered in a bundle with the EDR-disabling malware. The vulnerable version of the driver exposes two so-called IOCTL interfaces — special communication channels between user and machine — that let regular software read from and write to physical memory. This insecure design can be abused by malicious actors to modify the Windows kernel and execute kernel functions with highest privileges”, says Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.
Kaspersky products detect the threats encountered in this incident as:
● Trojan-Ransom.Win32.PaidMeme.* (MedusaLocker variant)
● Trojan.Win64.KillAV.* (AV killer)
Based on
Kaspersky telemetry and information collected from public threat intelligence
feeds, the majority of victims affected by attempted attacks using the observed
variant of EDR-disabling malware are in Russia, Belarus, Kazakhstan,
“While malware designed to disable security software is a known tactic, the variant discussed in our recent research appears to be a newly discovered one. It is believed to have been circulating in the wild since at least October 2024,” elaborates Cristian Souza. “This highlights the advanced capabilities of modern cybercriminals and underscores the importance of using security solutions with built-in self-defense mechanisms, such as Kaspersky, capable of preventing the alteration or termination of memory processes, deletion of application files on the hard drive, and changes in system registry entries. These capabilities help effectively counter various types of EDR-disabling malware, including the one described in our new research”.
The detailed analysis of the recent case is presented on Securelist. To mitigate against similar attacks, businesses are advised with the following best practices:
● Use security solutions that can monitor the presence of the known vulnerable drivers in the operating system.
● Strong hardening practices must be implemented to protect servers against brute‑force attacks and restrict public exposure of remote‑access protocols.
● System administrators should enforce least-privilege access, application whitelisting, network segmentation, and MFA for remote access. They must also maintain patch management, use automated vulnerability scanning, deploy IDS/IPS and EDR tools for threat detection, comprehensive logging and monitoring, and conduct regular security assessments and penetration tests to validate defenses.
● Threat protection services should implement self-defense mechanisms to prevent these attacks. This includes safeguarding application files from unauthorized modification, monitoring memory processes, and regularly updating detection rules on customers’ devices.
● Adopt managed security services by Kaspersky such as Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. This helps to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
● To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
The Kaspersky Security Services
Delivering hundreds of information security projects every year for Global Fortune 500 organizations worldwide: incident response, managed detection, SOC consulting, red teaming, penetration testing, application security, digital risks protection. The Global Emergency Response Team isa part of Security Services, which handles hundreds of incidents annually, building a clear picture of attacks and sharing response recommendations.
