bdapiutil.sys
Baidu Antivirus kernel utility driver
bdapiutil.sys is a kernel driver bundled with Baidu Antivirus, a consumer security suite from one of China's largest internet companies. Like several entries on the LOLDrivers list, the driver exposes an interface that lets user-mode software ask the kernel to do things the user would not normally be permitted to do (in this case, terminate other processes). CVE-2024-51324 documents that the driver does not verify whether the caller has the privileges that interface should require.
Cisco Talos reported that the driver was abused in 2024 in a Bring-Your-Own-Vulnerable-Driver loader tied to the DeadLock ransomware campaign, where the operators dropped a legitimately signed copy of bdapiutil.sys onto already-compromised systems and used it to terminate endpoint-protection processes before encrypting files. The driver is on Microsoft's Vulnerable Driver Blocklist.
If you do not run Baidu Antivirus, the driver has no business being on disk and is worth investigating. If you do, update the suite to the current version.
bdapiutil.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “bdapiutil.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/bdapiutil-sys
