Threat actors are exploiting a vulnerability in CheckPoint’s ZoneAlarm antivirus via a Bring Your Own Vulnerable Driver (BYOVD) attack using vsdatant.sys (version 14.1.32.0). This outdated driver, with high-level kernel privileges, allows attackers to bypass Windows Memory Integrity security, steal sensitive data like passwords, and establish Remote Desktop Protocol (RDP) access for persistent control. CheckPoint has confirmed that recent versions are not affected and advises users to update their software to stay protected.

‍