2025-10-22 –, Europe
What if your trusted security solutions could be silently disarmed without warning? What if a long-forgotten vulnerability in a legitimate driver became the perfect weapon for attackers to bypass defenses and strike undetected?
In 2025, Check Point Research uncovered a sophisticated campaign leveraging over 2,500 unique variants of a vulnerable legacy driver to disable EDR and AV solutions. By abusing a loophole in Windows driver signing, the attackers successfully deployed a powerful EDR/AV killer module that bypassed Microsoft’s Vulnerable Driver Blocklist and evaded detection mechanisms, including those introduced by the LOLDrivers project.
To ensure stealth, the attackers carefully manipulated the driver’s PE structure, generating distinct hashes while preserving its valid signature — a move that allowed thousands of modified variants to remain undetected. Operating from a public cloud’s China region, the attackers targeted victims primarily in China and parts of Asia, with devastating precision.
Check Point Research’s findings prompted Microsoft to update its Vulnerable Driver Blocklist, neutralizing the exploited driver variants. This paper presents the campaign’s technical details, explores the evasion techniques in depth, and provides practical insights for defenders to mitigate emerging driver exploitation threats. Are your defenses prepared for attackers turning trusted code into a silent threat?
-
CPR uncovered a large-scale ongoing campaign involving thousands of first-stage malicious samples used to deploy an EDR/AV killer module in its initial stage. This module was first detected and recorded in June 2024. It was observed leveraging and exploiting more than 2,500 distinct variants of the legacy version 2.0.2 of the known vulnerable driver Truesight.sys, which is the RogueKiller Antirootkit Driver and part of Adlice’s product suite. This driver has a known vulnerability in versions below 3.4.0.
-
The attackers exploited the legacy version 2.0.2 of the Truesight driver to take advantage of a Windows policy loophole (Exception in Driver Signing Policy), allowing the driver to be loaded on the latest versions of Windows OS. Notably, the attackers specifically selected the 2.0.2 version because it retains the vulnerable code while also bypassing the latest Microsoft Vulnerable Driver Blocklist and common detection mechanisms, such as those introduced by the LOLDrivers project, none of which detect this version.
-
To further evade detection, the attackers deliberately generated multiple variants (with different hashes) of the 2.0.2 driver by modifying specific PE parts while keeping the signature valid. We detected over 2,500 validly signed variants of this driver.
-
The attackers leveraged infrastructure in a public cloud's China region to host payloads and operate their C2 servers. Around 75% of the victims are located in China, while the remainder come from other parts of Asia (e.g., Singapore, Taiwan).
-
The initial-stage samples act as downloaders/loaders and often disguise themselves as well-known applications. They are typically distributed via phishing methods, including deceptive websites and phishing channels in messaging apps. Along with the EDR/AV killer module, they are designed to prepare the infected machine to deliver final-stage payloads, such as Gh0st RAT variants.
-
CPR reported this issue to MSRC, leading to an updated version of the Microsoft Vulnerable Driver Blocklist (available since December 17, 2024), effectively preventing all variants of the legacy driver exploited in this campaign.
Jiří Vinopal is a threat Researcher, malware researcher and reverse engineer at Check Point Research, who specializes in analysing and dissecting advanced cyber threats and techniques, alongside conducting in-depth malware research and reverse engineering. When he's not diving deep into the world of cybersecurity, he shares his passion for reverse engineering through his free YouTube channel and blog content, providing tips and tricks to fellow enthusiasts.