CVE-2025-61155
published 2025-10-28CVE-2025-61155: The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode…
PriorityP187medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.27%
19.2th percentile
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL requests. These requests are executed in kernel-mode context without proper authentication or access validation, allowing the attacker to terminate arbitrary processes, including critical system and security services, without requiring administrative privileges.
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-61155 is exploited via BYOVD: a user-mode process opens a handle to the GameDriverX64.sys device and sends specially crafted IOCTL requests in kernel-mode context without authentication, enabling termination of arbitrary processes including EDR/AV without admin privileges. ↗
- →Hunt for GameDriverX64.sys (Tower of Fantasy anti-cheat driver) loaded on non-gaming hosts, particularly in enterprise/EDR environments — its presence is a strong BYOVD indicator for CVE-2025-61155 exploitation. ↗
- →MintLoader initial access uses a time-based URL path (Unix epoch floored to 16-second intervals) for payload retrieval; the PowerShell pattern `$w - ($w % 16)` is a distinctive signature for this loader's C2 beacon URL construction. ↗
- ·CVE-2025-61155 affects GameDriverX64.sys v7.23.4.7 and earlier; versions beyond this threshold are not confirmed vulnerable. ↗
- ·The Interlock RAT JavaScript payloads use randomized string-retrieval function names per build (e.g., 'a0n()'), so string-based static detection rules targeting specific function names will have limited coverage across samples. ↗
- ·Backdoor.Turn C2 traffic is indistinguishable from legitimate Microsoft Teams TURN relay traffic at the network layer; network-based detection relying solely on destination IP/domain blocking of Microsoft infrastructure will generate false positives or miss the malware entirely. ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9qfv-m6w2-fhch: Hotta Studio GameDriverX64
ghsa_unreviewed·2025-10-28
CVE-2025-61155 [MEDIUM] CWE-400 GHSA-9qfv-m6w2-fhch: Hotta Studio GameDriverX64
Hotta Studio GameDriverX64.sys 7.23.4.7, a signed kernel-mode anti-cheat driver, allows local attackers to cause a denial of service by crashing arbitrary processes via sending crafted IOCTL requests.
VulnCheck
Uncontrolled Resource Consumption
vulncheck·2025·CVSS 5.5
CVE-2025-61155 [MEDIUM] Uncontrolled Resource Consumption
Uncontrolled Resource Consumption
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL requests. These requests are executed in kernel-mode context without proper authentication or access validation, allowing the attacker to terminate arbitrary processes, including critical system and security services, without requiring administrative privileges.
Affected: Hotta Studio GameDriverX64.sys
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References:
No detection rules found.
No public exploits indexed.
Hackernews
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
blogs_hackernews·2026-06-18
CVE-2023-52271 DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.
According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed.
"Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN
Bleepingcomputer
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
blogs_bleepingcomputer·2026-06-16
CVE-2023-52271 Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
## Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
## Bill Toulas
DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.
According to researchers at the cybersecurity company Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company.
Fortinet
Interlock Ransomware: New Techniques, Same Old Tricks | FortiGuard Labs
blogs_fortinet·2026-01-29
Interlock Ransomware: New Techniques, Same Old Tricks | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Interlock Ransomware: New Techniques, Same Old Tricks
Inside a multi-month Interlock ransomware intrusion and the evolving tradecraft behind it
Executive Summary
Intrusion Timeline
Intrusion Details
Phase One – Initial Access – 31 March 2025
Phase Two – Data Access and Exfiltration – 05-15 September 2025
Phase Three – Ransomware Preparation and Deployment – 16 September – 12 October 2025
Conclusion
Recommendations
MITRE ATT&CK Mapping & Observables
TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0008: Lateral Movement
TA0009: Collection
TA0010: Exfiltration
TA0040: Impact
FortiGuard Protections
Engaging the FortiGuard Incident Response Team
Indicators of Compromise (IOCs)
H
Fortinet
Interlock Ransomware: New Techniques, Same Old Tricks | FortiGuard Labs
blogs_fortinet·2026-01-29
Interlock Ransomware: New Techniques, Same Old Tricks | FortiGuard Labs
FortiGuard Labs Threat Research
# Interlock Ransomware: New Techniques, Same Old Tricks
Inside a multi-month Interlock ransomware intrusion and the evolving tradecraft behind it
By
Mark Robson,
Omar Avilez Melo,
John Simmons,
Ken Evans,
Jared Betts,
Angelo Deveraturda and
Xiaopeng Zhang
| January 29, 2026
- Article Contents
By
Mark Robson,
Omar Avilez Melo,
John Simmons,
Ken Evans,
Jared Betts,
Angelo Deveraturda and
Xiaopeng Zhang
| January 29, 2026
Affected Platforms: North American Organizations – Education Sector
Threat Type: Financially Motivated (Ransomware)
Impact: Data Theft and Encryption, Extortion
Severity Level: Moderate
## Executive Summary
The Interlock ransomware group continues to compromise organizations worldwide, with a focus on UK- and US-based organi
2025-10-28
Published
Exploited in the wild