A sophisticated campaign has weaponized over 2,500 variants of a legitimate security driver to disable endpoint protection before deploying ransomware and remote access trojans.
Attackers are abusing truesight.sys, a kernel-mode driver from Adlice Software’s RogueKiller antivirus suite. The legacy version 2.0.2 contains a critical vulnerability allowing arbitrary process termination via IOCTL command 0x22E044.
This enables attackers to kill any process, including protected security software that normally resists user-mode termination.
The irony is stark: a driver designed to protect systems now serves as the primary weapon to kill security software.
Check Point Research uncovered this operation in January 2025, revealing how attackers exploit a Windows driver signing policy loophole to bypass modern defenses.
Attackers manipulate the driver’s PE structure while preserving its valid digital signature, creating thousands of unique variants that evade hash-based detection.
Attack Chain
The multi-stage attack begins with phishing emails, fake software websites, compromised Telegram channels, or watering hole attacks. The infection proceeds through three stages:
Stage 1: A downloader masquerading as a legitimate installer establishes initial access. Stage 2: Persistence via scheduled tasks and DLL side-loading. Stage 3: Deployment of an EDR killer module combined with the final payload.
The EDR killer module, protected by VMProtect, targets 192 security products including CrowdStrike Falcon, SentinelOne, Sophos, Trend Micro, Kaspersky, and ESET.
It downloads the TrueSight driver if absent, installs it as “TCLService,” sends termination commands to all targeted processes, deletes security software from disk, and deploys the final payload with zero defensive visibility. The entire process can complete in 30 minutes.
Traditional security measures crumble against this threat. Hash-based detection is obsolete attackers modify just 8 bytes (4 in the CheckSum field and 4 in certificate padding) to generate 2^64 possible unique file hashes while maintaining valid signatures. VirusTotal detection rates show only 2-7% of engines identify variants.
Microsoft’s Vulnerable Driver Blocklist contains the certificate’s TBS hash but associates it with different drivers, allowing TrueSight 2.0.2 to slip through until a December 17, 2024 update.
The driver loads before EDR kernel modules can block it, and kernel-level termination bypasses user-mode tamper protection.
Real-World Impact
Check Point attributes the primary campaign to Silver Fox, a financially motivated Chinese threat actor active since June 2024. The technique has proliferated to ransomware groups (RansomHub, Qilin, INC, BlackCat),
APT groups, and underground forums. Approximately 75% of victims are in mainland China, with 15% in Singapore, Taiwan, and Hong Kong, and 10% elsewhere in Asia-Pacific.
The final payload is HiddenGh0st, a Gh0st RAT variant providing complete remote control, keylogging, screen capture, data exfiltration, and surveillance capabilities.
Organizations must update Microsoft’s Vulnerable Driver Blocklist immediately, enable HVCI (Hypervisor-Protected Code Integrity), implement application control policies, and monitor for suspicious driver installations.
The campaign demonstrates that reactive hash-based detection cannot counter polymorphic threats proactive driver abuse monitoring is essential.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.