From Armillaria loader to EDR killer

ThreatLocker Threat Intelligence analyzed an Armillaria loader (version.dll) and a second-stage EDR-killer (owned2.dll) linked to Akira ransomware affiliates; the loader drops an embedded payload executed via rundll32.exe, and the second stage leverages a vulnerable ThrottleStop driver (rwdrv.sys) to load an unsigned malicious driver (hlpdrv.sys) that can terminate endpoint security processes, modify DACLs/security descriptors, and render files inaccessible; the samples include locale-based execution checks to avoid CIS countries, and the report provides SHA-256 hashes and mitigation guidance for customers.