A large-scale campaign is leveraging a trusted Windows security driver, transforming it into a tool for disabling protective measures before deploying ransomware and remote access malware. This sophisticated attack exploits truesight.sys, a kernel driver from Adlice Software’s RogueKiller antivirus, utilizing over 2,500 validly signed variants to stealthily disable endpoint detection and response (EDR) and antivirus solutions across various Windows systems.
The threat first captured attention when researchers at Check Point revealed how attackers were manipulating legacy driver signing rules to load pre-2015 signed drivers on contemporary Windows 11 machines. This tactic enables the execution of the vulnerable TrueSight driver with full kernel privileges, circumventing Microsoft’s security controls designed to block potentially harmful drivers. Consequently, this method provides a reliable means to neutralize security tools prior to any malicious payload deployment.
Following the initial discovery, analysts from MagicSword observed that the driver abuse had proliferated among multiple threat groups and across different regions, with new driver variants emerging weekly. Their telemetry indicated that both financially motivated actors and advanced persistent threat (APT) groups were employing the same strategy to pave the way for ransomware and remote access trojans on compromised systems.
At the core of this operation lies the ability to terminate nearly any security process on the affected system. The vulnerable TrueSight 2.0.2 driver exposes an IOCTL command that accepts input controlled by attackers, allowing them to forcibly terminate selected processes, including protected EDR agents and antivirus engines. Once the driver is activated, the malware can bypass user-mode tamper protections, operating directly within the Windows kernel with privileges equivalent to legitimate security software.
The implications for defenders are profound. With EDR agents disabled at the kernel level, telemetry ceases, alerts fail to trigger, and ransomware or remote access trojans can execute with minimal resistance. Often, victims remain unaware of the attack until files are encrypted or data has been surreptitiously exfiltrated. The extensive range of driver variants and the high evasion rate against traditional antivirus solutions render this technique particularly perilous for enterprises that depend on hash-based or signature-only defenses.
Infection Chain: From Phishing to Full Control
The infection chain associated with these attacks follows a methodical approach, employing common delivery mechanisms while integrating advanced driver exploitation. Initial access frequently begins with phishing emails, deceptive download sites, or compromised Telegram channels that entice users into executing a disguised installer.
This first-stage executable functions as a downloader, retrieving additional components from attacker-controlled servers, typically hosted on cloud infrastructure. In the subsequent stage, the malware establishes persistence through scheduled tasks and DLL side-loading, ensuring it remains operational after reboots and blends seamlessly with standard system activities.
The malware then deploys an EDR killer module, heavily obfuscated with VMProtect to complicate reverse engineering efforts. MagicSword researchers have identified that this module targets nearly 200 different security products, including CrowdStrike, SentinelOne, Kaspersky, and Symantec, enhancing the campaign’s effectiveness across a wide array of enterprise environments.
Once prepared, the module downloads the TrueSight driver if it is not already installed, sets it up as a Windows service (typically named TCLService), and issues the crafted IOCTL request to terminate running security processes. With defenses dismantled, the final payload—often a HiddenGh0st remote access trojan or a ransomware variant—executes with little to no visibility. This entire sequence, from the initial phishing click to achieving full system control, can transpire in as little as 30 minutes, creating a narrow window for detection and response.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
