A FortiGuard Labs report details how Interlock, a ransomware group, weaponised a zero-day in a gaming anti-cheat driver to target endpoints and terminate EDR processes, using a tool called Hotta Killer alongside a kernel driver named UpdateCheckerX64[.]sys. The renamed driver is a vulnerable version of GameDriverx64[.]sys (CVE-2025-61155), and the malware leverages the driver’s kernel-level privileges to disable security protections during the attack.
The intrusion, which began on 31 March 2025 with a MintLoader infection on a single laptop, spanned nearly seven months in the education sector, with activity intensifying in September as the group used AZcopy to exfiltrate over 250GB of data before moving to encryption on 10 October, deploying a Linux-based encryptor for Nutanix servers and a JavaScript payload (jar[.]jar) for Windows endpoints.
In the later stages, the actors also generated around 5,000 rogue user accounts across the victim’s domain, though researchers can only speculate on their purpose. According to FortiGuard Labs, Interlock demonstrated an ability to adapt techniques and tooling as mitigations evolve.