What if your trusted security solutions could be silently disarmed without warning? What if a long-forgotten vulnerability in a legitimate driver became the perfect weapon for attackers to bypass defenses and strike undetected?

In 2025, Check Point Research uncovered a sophisticated campaign leveraging over 2,500 unique variants of a vulnerable legacy driver to disable EDR and AV solutions. By abusing a loophole in Windows driver signing, the attackers successfully deployed a powerful EDR/AV killer module that bypassed Microsoft’s Vulnerable Driver Blocklist and evaded detection mechanisms, including those introduced by the LOLDrivers project.

To ensure stealth, the attackers carefully manipulated the driver’s PE structure, generating distinct hashes while preserving its valid signature — a move that allowed thousands of modified variants to remain undetected. Operating from a public cloud’s China region, the attackers targeted victims primarily in China and parts of Asia, with devastating precision.

Check Point Research’s findings prompted Microsoft to update its Vulnerable Driver Blocklist, neutralizing the exploited driver variants. This paper presents the campaign’s technical details, explores the evasion techniques in depth, and provides practical insights for defenders to mitigate emerging driver exploitation threats. Are your defenses prepared for attackers turning trusted code into a silent threat?