Check Point Research (CPR) has uncovered a sophisticated cyber campaign exploiting a Windows driver signing policy loophole to disable security tools and deploy malware across thousands of systems since June 2024. Researchers at CPR detected that after three stages of encrypted payload execution, attackers disabled security processes using a kernel driver exploit and established remote control via Gh0st RAT variants. Attackers leveraged 2,500+ modified variants of the vulnerable Truesight.sys driver (v2.0.2) – part of Adlice’s RogueKiller Antirootkit – to terminate protected processes like EDR/AV solutions and install Gh0st RAT payloads. The attackers exploited a critical Windows policy exception allowing legacy drivers signed before July 2015 to load on modern systems, bypassing Microsoft’s Driver Signature Enforcement (DSE). As attackers increasingly exploit “living-off-the-signed” tactics, continuous monitoring of driver vulnerabilities becomes critical for enterprise defense. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Feb 2025 17:50:15 +0000