The Interlock ransomware group has weaponized a gaming anti-cheat driver vulnerability (CVE-2025-61155) in a sophisticated BYOVD attack chain to disable endpoint security tools before encryption. This novel technique emerged in campaigns targeting healthcare, defense, and education sectors across North America and Europe, with 60+ victims claimed since September 2024. The vulnerability's moderate severity rating obscures its actual danger when combined with ransomware operations.
The vulnerability hiding in plain sight
CVE-2025-61155 affects GameDriverX64.sys, a signed kernel-mode anti-cheat driver developed by Hotta Studio for the game "Tower of Fantasy." Published in the NVD on October 28, 2025, this vulnerability allows local attackers to crash arbitrary processes by sending specially crafted IOCTL requests—no administrative privileges required.
Attribute Value
CVSS v3.1 5.5 (Medium)
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE CWE-400 (Uncontrolled Resource Consumption)
Affected Version v7.23.4.7 and earlier
Attack Vector Local, Low Complexity, Low Privileges
The technical exploitation mechanism is straightforward: a user-mode process opens a handle to the driver device (\\.\HtAntiCheatDriver), sends IOCTL code 0x222040 with flag 0xFA123456 and a target process ID, and the driver executes ZwTerminateProcess() in kernel context. Because the driver is legitimately signed, Windows trusts it completely—creating the perfect weapon for security evasion.
Interlock ransomware emerges as a capable adversary
First observed in late September 2024, Interlock operates as a closed, private ransomware group without affiliates or public recruitment—distinguishing it from typical Ransomware-as-a-Service operations. The group, also tracked as "Nefarious Mantis," employs double extortion tactics: exfiltrating sensitive data before encrypting systems and threatening public exposure on their "Worldwide Secrets Blog" TOR site.
Security researchers have noted low-confidence links to Rhysida ransomware based on code overlaps in encryptor binaries and similar hardcoded exclusion lists. Microsoft has also flagged potential connections to Vice Society (Vanilla Tempest). CISA and the FBI issued joint advisory AA25-203A on July 22, 2025, elevating Interlock to a recognized national-level threat.
Notable victims demonstrate Interlock's focus on high-value targets:
- DaVita (April 2025): 2.7 million patients affected, 20+ TB exfiltrated, $13.5M in incident costs
- City of St. Paul, Minnesota (July 2025): Municipal systems offline, 3,500 employees' data compromised
- AMTEC/National Defense Corporation (2025): Defense contractor with classified documents exposed
- Texas Tech University Health Sciences Center (2025): Healthcare system breach
The group's dwell time averages 15-24 days from initial access to ransomware deployment, though some intrusions extended beyond six months.
How Interlock weaponizes the vulnerability
The connection between CVE-2025-61155 and Interlock campaigns centers on a custom malware tool dubbed "Hotta Killer"—a BYOVD (Bring Your Own Vulnerable Driver) process-termination utility documented by Fortinet FortiGuard Labs in January 2026.
The attack chain operates as follows:
- Driver deployment: Interlock drops the legitimate, signed GameDriverX64.sys driver (renamed to UpdateCheckerX64.sys) onto target systems
- Service registration: The driver is installed as a kernel service using CreateServiceW and StartServiceW APIs
- Security targeting: A companion DLL (polers.dll) communicates with the driver, specifically targeting processes matching patterns like Forti* (Fortinet EDR/AV)
- Process termination: IOCTL requests trigger kernel-level process kills, bypassing user-mode protections
- Ransomware execution: With security tools neutralized, ransomware deploys unimpeded
The observed execution command demonstrates the targeted approach:
C:\windows\system32\rundll32.exe .\polers.dll start Forti*
This technique represents a significant evolution in ransomware operations—leveraging a video game's anti-cheat mechanism to defeat enterprise security tools.
Comprehensive tactics, techniques, and procedures
Interlock's attack methodology spans the full MITRE ATT&CK framework with notable sophistication in several areas.
Initial access relies heavily on social engineering through ClickFix attacks—fake CAPTCHA prompts trick users into copying and executing malicious PowerShell commands. The group also distributes fake security software updates masquerading as legitimate tools: FortiClient.exe, GlobalProtect.exe, Cisco-Secure-Client.exe, and Ivanti-Secure-Access-Client.exe. These PyInstaller-packaged executables establish initial footholds through PowerShell backdoors.
Credential harvesting employs multiple commercial and custom tools including LummaStealer, BerserkStealer, and a custom stealer (cht.exe) alongside keyloggers (klg.dll). Kerberoasting and Mimikatz enable privilege escalation to domain administrator accounts.
Lateral movement occurs primarily through RDP with stolen credentials, supplemented by legitimate remote access tools (AnyDesk, ScreenConnect, PuTTY). For Linux and VMware ESXi environments, SSH access via plink.exe extends the group's reach to virtualization infrastructure.
Data exfiltration consistently uses AzCopy to Azure blob storage—a signature technique that enables rapid transfer of massive datasets (250GB+ observed in single incidents). WinSCP provides alternative extraction paths.
The ransomware itself targets Windows, Linux, and FreeBSD systems, appending .interlock, .1nt3rlock, or .gif extensions to encrypted files. Ransom notes (!__README__!.txt) are deployed via Group Policy Object for enterprise-wide distribution.
Conclusion
The convergence of CVE-2025-61155 and Interlock ransomware illustrates how attackers transform seemingly minor vulnerabilities into devastating weapons. A gaming anti-cheat driver—rated "Medium" severity for its process-termination capability—becomes a critical enabler when combined with ransomware operations targeting healthcare and critical infrastructure. Defenders must look beyond CVSS scores to assess real-world exploitation potential, implement defense-in-depth strategies against BYOVD techniques, and monitor for the specific indicators documented in CISA advisory AA25-203A. The absence of a vendor patch for the driver vulnerability makes proactive blocking through application control policies essential.