Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 1 CVE

Hotta Killer

Hotta Killer is a custom evasion and process-killing malware tool associated with the Interlock ransomware group. It is described as a Bring Your Own Vulnerable Driver (BYOVD) utility used to disable endpoint security controls before ransomware execution, particularly EDR and AV products. Multiple sources in the content state that it exploits a zero-day vulnerability in the legitimate, digitally signed gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, which Interlock drops under the renamed filename UpdateCheckerX64.sys. The tool is implemented as a DLL identified as polers.dll and is executed via rundll32.exe; it reportedly creates a symbolic link to communicate with the driver and passes target process IDs so the driver can terminate them from kernel space, including via ZwTerminateProcess(). The content specifically notes targeting of Fortinet security software and processes matching patterns such as Forti*.exe, and cites its use against FortiEDR. Hotta Killer was reported in Interlock intrusions against education-sector organizations in the United States, United Kingdom, and a North American education victim, where it was used alongside ClickFix social engineering, MintLoader, NodeSnakeRAT, AZcopy-based data exfiltration, and subsequent ransomware deployment against Windows endpoints and Nutanix hypervisors. High-confidence indicators directly mentioned in the content include polers.dll, UpdateCheckerX64.sys, GameDriverx64.sys, CVE-2025-61155, and in one report the hashes polers.dll SHA1 3B9B2D5934F9ED1E3A000A760A6FA90422E8A555 and UpdateCheckerX64.sys SHA1 7556AE58C215B8245A43F764F0676C7A8F0FDD1A.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-61155Improper authorization in GameDriverX64.sys IOCTL handler allows arbitrary process terminationExploited in the wild

1.hotta Killer (Interlock): exploits a gaming anti-cheat driver zero-day (CVE-2025-61155) to attack FortiEDR | Hotta Killer (Interlock): exploits a gaming anti-cheat driver zero-day (CVE-2025-61155) to attack FortiEDR

via ahnlab asec blogasec.ahnlab.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Interlock

Such ransomware deployment has been concealed by Interlock through the custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, as part of a Bring Your Own Vulnerable Driver attack.

via scworldscworld.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence2
TacticPrivilege Escalation

"harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155" | "custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys... as part of a Bring Your Own Vulnerable Driver attack"

Stealth

1 technique
T1211Exploitation for Defense EvasionEvidence1
TacticStealth

1.hotta Killer (Interlock): exploits a gaming anti-cheat driver zero-day (CVE-2025-61155) to attack FortiEDR

Other

1 technique
T1562.001Disable or Modify ToolsEvidence2

"kernel termination of security software prior to encryption activities"

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
ahnlab asec blogNews
Apr 9, 2026
Q1 2026 Attack Technique Trends Report - ASEC

A tool/malware referred to as Hotta Killer, also called Interlock, that exploits a gaming anti-cheat driver zero-day to target and disable or attack FortiEDR.

Read more
cyber security newsNews
Feb 8, 2026
Cybersecurity Weekly Newsletter - Notepad++ hack, Office 0-Day, ESXi 0-day Ransomware Attacks and More

Defense-evasion tool used by Interlock ransomware actors to disable EDR/AV by exploiting a vulnerable gaming anti-cheat driver (zero-day cited).

Read more
scworldNews
Feb 6, 2026
Interlock ransomware bolsters stealth in new attacks | SC Media

A custom evasion tool used to disable/terminate security software at the kernel level by abusing a vulnerable legitimate driver (BYOVD) prior to ransomware encryption.

Read more
cyber security newsNews
Feb 4, 2026
Interlock Ransomware Actors New Tool Exploiting Gaming Anti-Cheat Driver 0-Day to Disable EDR and AV

Custom EDR/AV bypass tool using BYOVD: drops/loads a renamed vulnerable driver to gain kernel-level capability to terminate security processes, enabling ransomware deployment.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.