The combination of effective security evasion, sophisticated techniques, and severe impact classifies this as a high-priority threat.

01001 10110 11010 00101 11100 01111 CYBER INSIGHTS CYBER INSIGHTS

Breakdown

A widespread malware campaign is exploiting a serious flaw in Windows security by abusing an outdated driver, Truesight.sys (version 2.0.2), originally part of Adlice’s RogueKiller Antirootkit suite. The attackers have manipulated this vulnerable driver to evade detection and disable security software. This allowed them to install Gh0st remote access trojan (RAT), a powerful malware that gives attackers full control over infected systems. The key to this attack is a loophole in Windows' driver signing policy, which allows pre-2015 signed drivers to be loaded even on the latest Windows versions by making small modifications to the Portable Executable structure of Truesight[.]sys, tweaking checksum fields and padding bytes. The attackers created over 2,500 unique versions of the same driver, all while maintaining a valid digital signature. This means traditional security tools that rely on hash-based detection fail to recognize and block these malicious variants, allowing attackers to operate under the radar.

Since mid-2024, this campaign has been actively targeting victims through phishing emails, fake websites, and malicious Telegram channels, tricking users into downloading infected files. The malware works in multiple stages, starting with a first-stage downloader, which plants the Truesight.sys driver and an Endpoint Detection and Response (EDR) tools and antivirus (AV) programs killer module onto the victim’s machine. This module exploits Truesight[.]sys’s arbitrary process termination flaw, a serious vulnerability that allows attackers to shut down security software, including EDR tools and AV programs. The attackers use a method called Bring Your Own Vulnerable Driver (BYOVD), where they install a legitimate but outdated and exploitable driver, then issue a custom Input/output control command (0x22E044) to kill off security defenses. Once these defenses are down, the final payload delivers the Gh0st RAT, which allows attackers to steal sensitive data, spy on users, and manipulate system settings without detection.

While CrowdStrike, SentinelOne, Splunk and other EDR solutions have tamper protection and kernel monitoring, the Truesight.sys driver exploit can still disable unprotected security processes, making manual enforcement of driver blocklists and real-time monitoring critical for mitigation. This campaign stands out for its sophisticated evasion tactics and stealthy execution. Attackers intentionally modified the driver to evade Microsoft’s Vulnerable Driver Blocklist and other security mechanisms like LOLDrivers detection. I Instead of relying on traditional malware techniques that could raise red flags, attackers use DLL side-loading to conceal malicious code. This Is done to mask second-stage payloads within encrypted PNG, JPG, or GIF files and protect their malware using VMProtect, a commercial obfuscation tool specifically designed to thwart reverse engineering and analysis. By hiding behind these layers of protection, the attackers can remain undetected for long periods, making this an extremely dangerous campaign. This campaign demonstrates a high level of complexity, combining multiple attack techniques, including driver exploitation, process injection, DLL side-loading, and encrypted payload delivery, to systematically evade detection and maintain persistence.

Threat intelligence indicates that this attack is the work of sophisticated cybercriminal groups specializing in advanced malware distribution. However, there is no confirmed attribution identifying a specific group behind its development. The command-and-control infrastructure is hosted in public cloud regions in China, with 75% of infections occurring in China and additional victims in Singapore, Taiwan, and other parts of Asia. Unlike highly targeted cyber-espionage operations, this campaign appears to be broadly focused, impacting a range of industries and individuals. The modular attack structure suggests a scalable operation where different attack components can be swapped or updated without disrupting the entire campaign. This makes it particularly dangerous, as the attackers can quickly adapt to security measures put in place against them.

Despite Microsoft updating its Vulnerable Driver Blocklist on December 17, 2024, to include Truesight.sys variants, these updates are not applied automatically and require manual implementation. As a result, many organizations remain exposed to this attack. Given the sophisticated evasion techniques, driver abuse, and stealthy persistence mechanisms, traditional antivirus solutions alone are not enough to detect or prevent these threats. Organizations need to implement real-time monitoring of kernel events, strict enforcement of driver integrity, and behavioral anomaly detection to catch these attacks before they can cause significant damage. This campaign serves as a reminder that legacy security vulnerabilities can still be exploited, and that proactive threat detection is critical in an evolving cyber threat landscape.

Affected Versions

Affected Version

Status

Solution

Truesight.sys

≤ 2.0.2

Vulnerable

Block execution using Windows Defender Application Control (WDAC) and Group Policy settings. Apply Microsoft's Vulnerable Driver Blocklist (December 17, 2024 update).

Truesight.sys

3.3.0

Known vulnerable

Included in Microsoft’s Blocklist, ensure WDAC is enforced.

Truesight.sys

3.4.0+

Patched

Upgrade to the latest Adlice RogueKiller version 3.4.0+, which contains a fix for arbitrary process termination exploits.

Windows 10/11

(all versions)

Vulnerable if Truesight.sys is loaded

Enable driver blocklist enforcement and apply manual updates to Microsoft’s Vulnerable Driver Blocklist.

Windows Defender

EDR Solutions

Bypassed by BYOVD technique

Implement kernel-mode driver integrity verification and behavior-based anomaly detection.

Recommendations

This campaign demonstrates how legacy vulnerabilities can be weaponized into sophisticated attack chains, emphasizing the need for proactive security measures beyond traditional antivirus solutions.

  • Enforce Driver Blocklist at the Kernel Level: Configure WDAC with Hypervisor-Protected Code Integrity to enforce driver blocklists at the kernel level. This prevents malicious drivers from loading, even if they are signed.
  • Deploy Real-Time Kernel Event Monitoring: Use Event Tracing for Windows with a focus on kernel-mode driver behavior to detect attempts to load modified drivers, particularly those using outdated signing certificates. Correlate with Sysmon logs to identify unsigned or suspicious drivers being executed.
  • Restrict Legacy Driver Loading via Group Policy: Implement Group Policy restrictions to prevent Windows from loading drivers signed before 2015, mitigating the loophole exploited in this campaign. Ensure this setting is enforced on all endpoints via Active Directory policies.
  • Automate Behavioral Anomaly Detection for Process Termination: Configure endpoint solutions to detect unauthorized process termination attempts linked to Truesight.sys exploits. Monitor for Input/output control calls (0x22E044) used to kill security processes and flag anomalies even when they originate from signed drivers.
  • Harden Windows Defender Credential Guard and Security Policies: Enable Windows Defender Credential Guard and Protected Process Light hardening to restrict driver access to critical security processes. Configure LSASS process protection to prevent memory tampering by exploited drivers.

Hunter Insights

The combination of effective security evasion, sophisticated techniques, and severe impact classifies this as a high-priority threat requiring immediate attention, especially for organizations in the targeted regions or industries. Based on the information provided in the report, this Truesight.sys driver exploitation represents a high-level threat for several reasons:

  • Sophisticated Evasion Techniques: The attackers created over 2,500 unique variants of the same driver while maintaining valid digital signatures, making traditional hash-based detection ineffective.
  • Effective Security Bypass: The BYOVD technique allows attackers to terminate security processes, including EDR tools and antivirus programs, essentially disabling an organization's primary defenses.
  • Widespread Impact: With active targeting through phishing emails, fake websites, and malicious Telegram channels since mid-2024, the campaign has already affected multiple organizations, primarily in Asia.
  • Persistence and Stealth: The multi-stage attack chain with DLL side-loading, encrypted payloads, and commercial obfuscation tools (VMProtect) allows attackers to remain undetected for extended periods.
  • Delayed Remediation: Despite Microsoft's December 2024 blocklist update, many organizations remain vulnerable as these updates require manual implementation and are not applied automatically.
  • Severe Payload: The final payload (Gh0st RAT) gives attackers complete control over infected systems, allowing data theft, espionage, and system manipulation. 
💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.