Hackers found a way to turn off Windows Defender remotely

The technique has been observed since mid-July 2025 and is already being used in active ransomware campaigns. The method doesn't rely on exploiting a software bug or delivering an obviously malicious file. Instead, it takes advantage of how the Windows driver system is designed to allow deep hardware access.

Let's discuss all you need to know about the attack and how you can stay safe.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

Once Defender is disabled, attackers can run other malicious programs undetected. GuidePoint says this method has been consistently spotted in Akira campaigns since mid-July.

The same group has also been linked to attacks targeting SonicWall VPN devices. SonicWall has stated that these incidents likely involve a known vulnerability, CVE-2024-40766, rather than a brand-new zero-day. The company recommends restricting VPN access, enabling multi-factor authentication, and disabling unused accounts as immediate defenses.

Researchers at GuidePoint have published a YARA detection rule, along with file names, service names, SHA-256 hashes, and file paths to help identify this activity. They recommend administrators actively monitor for these indicators, apply filtering and blocking rules as new IoCs emerge, and only download software from official or verified sources.

We reached out to Microsoft for a comment, but did not hear back before our deadline.

The Microsoft Defender attack is smart and dangerous, but you're not without defenses. Here are a few tips to help you stay safe:

Even with regular updates, Windows systems can be left exposed if built-in defenses are disabled. A strong antivirus software with real-time protection, kernel-level monitoring, and frequent updates can provide backup security. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at CyberGuy.com.

Many exploits rely on user interaction, such as clicking a shady link, downloading a compromised file, or mounting an untrusted virtual disk. Stick to reputable websites, avoid opening unsolicited email attachments, and use a browser with built-in security features (like Microsoft Edge or Chrome with Safe Browsing enabled).

Never paste or run commands (like PowerShell scripts) you don't understand or that were copied from random websites. Attackers often trick users into unknowingly running malware this way.

Regularly update your operating system, browsers, and all software applications. Updates often include patches for security vulnerabilities that malware can exploit.

Even with strong device security, your personal information may still be exposed online through data brokers and people-finder sites.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Akira's trick shows a bigger flaw in how Windows trusts certain tools. A driver meant for harmless CPU tuning ends up being the key to turning security off. Since it's from a legitimate source, Windows just lets it through without asking questions. We tend to think hackers always break in from the outside. Here, they're already inside the circle of trust, using the system's own rules.

Should Microsoft be doing more to stop ransomware groups from disabling Defender? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com.  All rights reserved.