A sophisticated cyber campaign has been uncovered, leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy malware.
The attackers exploited version 2.0.2 of the vulnerable Truesight.sys driver, part of Adlice’s RogueKiller Antirootkit suite, to disable endpoint detection and response (EDR) systems and antivirus (AV) solutions.
This campaign, active since mid-2024, involved over 2,500 distinct driver variants, enabling attackers to evade Microsoft’s Vulnerable Driver Blocklist and other detection mechanisms.
The attackers exploited a specific exception in Microsoft’s driver signing policy that permits legacy drivers signed before July 2015 to load on modern Windows systems.
By targeting the outdated Truesight.sys driver, they bypassed protections implemented by projects like LOLDrivers and Microsoft’s blocklist.
Additionally, they manipulated the driver’s Portable Executable (PE) structure to generate thousands of unique file hashes while maintaining valid digital signatures.
This tactic rendered hash-based detection ineffective.
Sophisticated Multi-Stage Attack Chain
According to Check Point Research, he campaign employed a multi-stage infection process.
Initial-stage malware samples masqueraded as legitimate applications and were distributed via phishing websites and messaging app channels.
These samples acted as loaders, downloading the vulnerable Truesight.sys driver alongside encrypted payloads.
The payloads were decrypted in memory during subsequent stages, ultimately delivering advanced malware such as Gh0st RAT a remote access trojan used for data theft and surveillance.
The attackers also deployed an EDR/AV killer module that exploited Truesight.sys’s arbitrary process termination vulnerability to disable security processes.
Protected processes (PP/PPL), typically resistant to termination from user-mode applications, were specifically targeted using this kernel-level exploit.
Infrastructure Insights and Victimology
The campaign primarily targeted victims in China (75%), with additional infections reported in Singapore and Taiwan.
Attackers hosted their payloads on public cloud infrastructure within China’s region and operated command-and-control (C2) servers from similar setups.
The phishing tactics employed suggest financial motivation rather than state-sponsored espionage.
Following disclosure by researchers, Microsoft updated its Vulnerable Driver Blocklist in December 2024 to include all exploited variants of the Truesight.sys driver.
Organizations are advised to apply these updates manually as auto-updates occur infrequently.
Enhanced detection mechanisms beyond hash-based methods are critical for mitigating such threats.
This case underscores the evolving sophistication of cyberattacks exploiting legacy vulnerabilities and highlights the importance of proactive threat hunting to uncover stealthy campaigns before they cause widespread damage.
