Kaspersky has discovered a vulnerability in ThrottleStop, a free tool used to control laptop processor performance, that has been exploited by the MedusaLocker ransomware operators during a recent attack on a Brazilian company.
The attackers combined this flaw with a new variant of a known class of malware capable of lowering systems’ defenses. Kaspersky uncovered these findings during an incident investigation and has reported the vulnerability to the vendor. Kaspersky has also confirmed that its security solutions detect and block the malware.
ThrottleStop is freeware supported by TechPowerUp and is widely used by individual users who want more control over their Central Processing Unit (CPU) behaviour – for example, to reduce heat and power consumption, or to achieve smoother performance on laptops.
Kaspersky’s Global Emergency Response Team (GERT) experts discovered the vulnerability in ThrottleStop during an attack investigation involving MedusaLocker ransomware. It has been assigned the ID CVE-2025-7771. MedusaLocker ransomware was discovered in September 2019 and is distributed under the Ransomware-as-a-Service scheme. It is known for attacking organisations within education, government, healthcare and technology industries for financial gain. It was seen to target countries in Europe and the Middle East.
Kaspersky discovered that attackers used a new type of EDR-disabling malware – a class of malicious software that is becoming increasingly common – and delivered it in a bundle with the vulnerable ThrottleStop.sys driver. In a series of technical actions, the vulnerability enabled attackers to run their malicious code in kernel mode, leading to privilege escalation, disabling the EDR in place and allowing them to activate the ransomware. The ultimate goal of the cybercriminals was to encrypt valuable files as part of their ransomware campaign.
“ThrottleStop is a consumer tool designed for personal laptops – corporations usually do not use it due to strict security policies. In the observed incident, the tool was delivered in a bundle with the EDR-disabling malware. The vulnerable version of the driver exposes two so-called IOCTL interfaces – special communication channels between user and machine – that let regular software read from and write to physical memory. This insecure design can be abused by malicious actors to modify the Windows kernel and execute kernel functions with highest privileges”, said Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.
Kaspersky products detect the threats encountered in this incident as:
● Trojan-Ransom.Win32.PaidMeme.* (MedusaLocker variant)
● Trojan.Win64.KillAV.* (AV killer)
Based on Kaspersky telemetry and information collected from public threat intelligence feeds, the majority of victims affected by attempted attacks using the observed variant of EDR-disabling malware are in Russia, Belarus, Kazakhstan, Ukraine and Brazil. EDR killers are a common type of malware that are used among various threat actors, including but not limited to MedusaLocker.
“While malware designed to disable security software is a known tactic, the variant discussed in our recent research appears to be a newly discovered one. It is believed to have been circulating in the wild since at least October 2024,” said Souza. “This highlights the advanced capabilities of modern cybercriminals and underscores the importance of using security solutions with built-in self-defense mechanisms, such as Kaspersky, capable of preventing the alteration or termination of memory processes, deletion of application files on the hard drive, and changes in system registry entries. These capabilities help effectively counter various types of EDR-disabling malware, including the one described in our new research”.