CVE-2024-51324

BdApiUtil.sys — Baidu Antivirus driver abused by DeadLock and Warlock ransomware for EDR termination

Exploited in the Wild

Abused by DeadLock ransomware (Cisco Talos, July 2025) and Warlock/GOLD SALEM ransomware (Sophos, mid-2025).

Summary

Field	Value
Driver	BdApiUtil.sys (Baidu Antivirus v5.2.3.116083)
Vendor	Baidu
Vulnerability Class	Improper Privilege Management / Process Termination
Exploited ITW	Yes (DeadLock, Warlock/GOLD SALEM ransomware)
Status	Not on Microsoft blocklist; still loadable

Root Cause

BdApiUtil.sys does not validate caller permissions. By opening the device via CreateFile() and sending IOCTL 0x800024b4, any unprivileged user invokes ZwTerminateProcess at kernel level, terminating any process including PPL-protected EDR agents.

Exploitation

Two ransomware campaigns abuse this driver:

DeadLock Ransomware (Cisco Talos, July 2025)

Uses a custom loader called EDRGay.exe that: 1. Drops BdApiUtil.sys (renamed to DriverGay.sys) 2. Loads it as a kernel service 3. Iterates through a hardcoded kill list of security products 4. Terminates each via IOCTL 0x800024b4 5. Deploys encryption payload

Warlock / GOLD SALEM (Sophos, mid-2025)

Renames the driver to googleApiUtil64.sys for evasion. Same IOCTL abuse for EDR termination before ransomware deployment.

Exploitation Primitive

CreateFile("\\.\BdApiUtil") → IOCTL 0x800024b4 with target PID
  → ZwTerminateProcess (no privilege check)
  → kill EDR → deploy ransomware

References

• Cisco Talos — BYOVD Loader Behind DeadLock Ransomware
• Sophos — GOLD SALEM Tradecraft for Warlock Ransomware