Threat Actors Leverage Signed Drivers for Stealthy Windows Kernel Exploits

Cybercriminals continue to use kernel-level malware as a preferred weapon against Windows systems amid a terrifying increase in cyberthreats.

Operating at ring 0 the highest privilege level in the operating system such malware grants attackers unparalleled access to disable security defenses, maintain persistence, and operate undetected.

Despite Microsoft’s robust countermeasures like PatchGuard, Driver Signature Enforcement (DSE), and Hypervisor-Protected Code Integrity (HVCI), threat actors are exploiting digitally signed drivers and underground services to bypass these protections.

Kernel-Level Malware

Recent research by Group-IB Report, analyzing over 620 malicious drivers and 80+ compromised certificates since 2020, reveals a sophisticated ecosystem where attackers leverage legitimate trust mechanisms to execute stealthy, high-impact operations at the kernel level.

The allure of kernel-level access lies in its ability to manage critical OS functions such as memory, threads, and hardware operations, making it an ideal entry point for bypassing antivirus and endpoint detection tools while altering system behavior without a trace.

Attackers have adapted by abusing the Windows Hardware Compatibility Program (WHCP) and Extended Validation (EV) certificates to sign malicious kernel drivers, effectively masquerading as legitimate software.

Underground Markets Fuel the Threat Landscape

Group-IB’s investigation highlights a surge in such activity, with over 250 drivers and 34 certificates tied to malicious campaigns in 2022 alone, often linked to Chinese entities based on metadata analysis.

Kernel loaders, acting as first-stage drivers, add another layer of obfuscation by dynamically loading unsigned or signed secondary drivers into memory, enhancing stealth and adaptability.

Notable malware families like FiveSys and POORTRY used by ransomware groups such as Cuba and LockBit exploit these loaders to retrieve payloads from command-and-control servers or local storage, evading traditional detection mechanisms.

Further deepening the concern is the thriving underground market for EV certificates and WHCP accounts, where vendors some likely Russian-speaking actors within Chinese cybercriminal communities sell these credentials for as little as $260 to $15,000.

These certificates, often obtained through fraudulent business registrations or stolen identities, enable even less-skilled threat actors to deploy signed kernel malware capable of disabling security tools.

The overlap in signing infrastructure across unrelated campaigns, such as RedDriver’s reuse in browser hijacking and persistence schemes, underscores a shared ecosystem of abuse.

Since 2020, the preference for WHCP-signed drivers over standalone EV certificates has grown, reflecting attackers’ intent to exploit deeper trust within Microsoft’s ecosystem.

The exploitation of legitimate processes like WHCP driver submission requiring only an EV certificate, enrollment in the Microsoft Partner Center, and a crash-free driver reveals critical vulnerabilities in the verification chain.

While Certificate Authorities (CAs) enforce steps like legal and operational existence checks, limited human oversight, often restricted to a phone call, leaves room for well-resourced threat actors or nation-states to manipulate the system.

The rise of kernel loaders and signed drivers calls for urgent reforms, including stricter certificate issuance with physical presence verification and enhanced collaboration between CAs, OS vendors, and the security community to revoke abused credentials swiftly.

As cybercriminals continue to adapt, fortifying these trust mechanisms is paramount to safeguarding Windows systems from the stealthy, persistent threat of kernel-level exploits.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free