CVE-2024-51324
BdApiUtil.sys -- Baidu Antivirus driver abused by DeadLock and Warlock ransomware for EDR termination
Exploited in the Wild
Abused by DeadLock ransomware (Cisco Talos, July 2025) and Warlock/GOLD SALEM ransomware (Sophos, mid-2025).
Summary
| Field | Value |
|---|---|
| Driver | BdApiUtil.sys (Baidu Antivirus v5.2.3.116083) |
| Vendor | Baidu |
| Vulnerability Class | Improper Privilege Management / Process Termination |
| Exploited ITW | Yes (DeadLock, Warlock/GOLD SALEM ransomware) |
| Status | Not on Microsoft blocklist; still loadable |
Root Cause
BdApiUtil.sys is a kernel driver shipped with Baidu Antivirus. It exposes a device object that accepts IOCTLs from user-mode processes. IOCTL 0x800024b4 invokes ZwTerminateProcess at kernel level, terminating the process identified by the PID supplied in the IOCTL input buffer.
The driver performs no validation of the caller's identity or privileges. Any process that can open a handle to the device via CreateFile("\\.\BdApiUtil") can terminate any other process on the system, including PPL (Protected Process Light) processes. This means EDR agents, antivirus services, and other security products running as protected processes can be killed by an unprivileged caller through this driver.
The driver is legitimately signed with a valid Authenticode certificate and is not included in Microsoft's recommended driver block rules. It loads on systems with HVCI enabled.
Exploitation
Two separate ransomware campaigns have weaponized this driver in BYOVD attacks:
DeadLock Ransomware (Cisco Talos, July 2025) -- The operators deploy a custom loader called EDRGay.exe that drops BdApiUtil.sys (renamed to DriverGay.sys) to disk, loads it as a kernel service, and then iterates through a hardcoded kill list of security product process names. For each process found, the loader sends IOCTL 0x800024b4 with the target PID. Once all security products are terminated, the ransomware encryption payload deploys without interference.
Warlock / GOLD SALEM (Sophos, mid-2025) -- This campaign uses a slightly different operational approach. The driver is renamed to googleApiUtil64.sys to blend in with legitimate Google software. The same IOCTL abuse terminates EDR products before ransomware deployment. The renaming strategy shows awareness that file-level detection may flag the original driver name.
Both campaigns demonstrate the same fundamental attack pattern: a legitimately signed driver that can kill any process becomes a universal EDR bypass when dropped and loaded by an attacker.
Exploitation Primitive
CreateFile("\\.\BdApiUtil") -> IOCTL 0x800024b4 with target PID
-> ZwTerminateProcess (no privilege check)
-> kill EDR -> deploy ransomware
Broader Significance
CVE-2024-51324 is a stark example of the BYOVD problem at scale. The driver is legitimately signed, not blocklisted, and provides a trivial one-IOCTL kill primitive against any process on the system. Two independent ransomware operations discovered and weaponized it within months of each other, suggesting the vulnerability is well-known in the cybercrime ecosystem.
The fact that this driver can terminate PPL-protected processes is particularly damaging. PPL is supposed to prevent unprivileged code from interfering with security products, but a single kernel driver with an unprotected ZwTerminateProcess IOCTL collapses that protection entirely. The driver's absence from Microsoft's blocklist means that even systems with HVCI and driver signing enforcement will load it without complaint.
This case highlights the systemic weakness of relying on driver signing as a security control. Signing verifies the publisher's identity, not the driver's security properties. A legitimately signed driver that exposes ZwTerminateProcess to any caller is functionally indistinguishable from a kernel-level process-killing backdoor.