The notorious Medusa ransomware gang has adopted a new tactic that involves using a malicious Windows driver to cripple security defenses on infected machines. According to a new report from Elastic Security Labs, this dangerous approach allows attackers to disable antivirus programs, endpoint protection, and other security tools, giving the ransomware free rein.
Investigators discovered that Medusa operators deploy a driver named smuol.sys, which pretends to be a legitimate CrowdStrike Falcon driver. However, this file is anything but safe. It’s signed with a revoked digital certificate belonging to a Chinese vendor and is further protected with VMProtect, a known obfuscation tool often used by malware developers.
Elastic researchers dubbed this driver AbyssWorker and linked it to dozens of malware samples circulating between August 2024 and February 2025. Interestingly, these samples were all signed—likely with stolen certificates. However, Elastic clarified that these certificates aren’t unique to Medusa’s campaign. Instead, they are widely used in various malware attacks, making detection even more challenging.
Further analysis revealed that this malicious driver isn’t exclusive to the Medusa ransomware group. Previously, a similar driver appeared in social engineering attacks disguised as nbwdv.sys. Those campaigns led to stealthy backdoor infections rather than ransomware attacks.
What’s alarming is how the attackers ensured their driver executed without interruptions. They signed the driver with an expired certificate. To bypass this issue, the hackers used a batch file to stop the Windows Time Service and reset the system clock to 2012—making the expired certificate appear valid. A separate controller binary was then used to communicate with the driver.
Once active, AbyssWorker initiates a self-protection mode. It scans for any system handles linked to its processes and removes them to evade detection. From there, the driver gives attackers broad control over the compromised machine.
Elastic’s breakdown of AbyssWorker revealed the driver’s dangerous capabilities. It allows operations such as manipulating files and processes, tampering with APIs, removing system hooks, shutting down drivers, and even forcing system reboots. This level of control enables Medusa to terminate or permanently disable any security software standing in its way.
Additionally, Elastic found that the driver relies heavily on kernel-level APIs to execute its tasks. To showcase the threat, Elastic created an example implementation showing how easily these APIs can be loaded to perform malicious operations.
