BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//hack-lu-2025//speaker//DTXWRV BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-hack-lu-2025-QSWNWS@pretalx.com DTSTART;TZID=CET:20251022T111500 DTEND;TZID=CET:20251022T114500 DESCRIPTION:What if your trusted security solutions could be silently disar med without warning? What if a long-forgotten vulnerability in a legitimat e driver became the perfect weapon for attackers to bypass defenses and st rike undetected?\n\nIn 2025\, Check Point Research uncovered a sophisticat ed campaign leveraging over 2\,500 unique variants of a vulnerable legacy driver to disable EDR and AV solutions. By abusing a loophole in Windows d river signing\, the attackers successfully deployed a powerful EDR/AV kill er module that bypassed Microsoft’s Vulnerable Driver Blocklist and evad ed detection mechanisms\, including those introduced by the LOLDrivers pro ject.\n\nTo ensure stealth\, the attackers carefully manipulated the drive r’s PE structure\, generating distinct hashes while preserving its valid signature — a move that allowed thousands of modified variants to remai n undetected. Operating from a public cloud’s China region\, the attacke rs targeted victims primarily in China and parts of Asia\, with devastatin g precision.\n\nCheck Point Research’s findings prompted Microsoft to up date its Vulnerable Driver Blocklist\, neutralizing the exploited driver v ariants. This paper presents the campaign’s technical details\, explores the evasion techniques in depth\, and provides practical insights for def enders to mitigate emerging driver exploitation threats. Are your defenses prepared for attackers turning trusted code into a silent threat? DTSTAMP:20260423T025253Z LOCATION:Europe SUMMARY:Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign - Jiří Vinopal URL:https://pretalx.com/hack-lu-2025/talk/QSWNWS/ END:VEVENT END:VCALENDAR