A comprehensive investigation by cybersecurity researchers has uncovered how threat actors are systematically abusing Microsoft’s Windows Hardware Compatibility Program (WHCP) and Extended Validation (EV) certificates to legitimize malicious kernel drivers, effectively bypassing traditional security defenses and gaining unprecedented system control. Since 2020, security researchers have identified more than 620 malicious drivers, 80+ compromised certificates, and 60+ WHCP accounts associated with threat actor campaigns. The emergence of underground driver certificate providers highlights the resourcefulness of threat actors and reveals critical vulnerabilities in current driver-signing processes, emphasizing the urgent need for enhanced security measures in the digital certificate ecosystem. The scale represents a significant escalation in kernel-level attacks, with Group-IB’s threat intelligence investigation revealing that approximately 32% of analyzed malicious drivers functioned as loaders, capable of retrieving secondary payloads from command-and-control servers. The abuse peaked in 2022, when over 250 drivers and approximately 34 certificates and WHCP accounts were identified as potentially compromised by security researchers. Analysis reveals a significant concentration of malicious activity originating from Chinese threat actors, with most certificates and WHCP accounts tied to Chinese companies based on metadata analysis. Security researchers have identified overlapping infrastructure between seemingly unrelated campaigns, suggesting coordinated efforts among multiple threat actor groups using shared signing capabilities. Cybercriminals are increasingly exploiting legitimate Windows driver signing processes to deploy sophisticated kernel-level malware, with new research revealing a concerning trend that has compromised over 620 drivers since 2020.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Jul 2025 10:25:16 +0000