2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT - Related to 1.59m, infected, exploited, peak, cloud

2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT

A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware.

"To further evade detection, the attackers deliberately generated multiple variants (with different hashes) of the driver by modifying specific PE parts while keeping the signature valid," Check Point stated in a new investigation .

The cybersecurity business expressed the malicious activity involved thousands of first-stage malicious samples that are used to deploy a program capable of terminating endpoint detection and response (EDR) software by means of what's called a bring your own vulnerable driver (BYOVD) attack.

As many as 2,500 distinct variants of the legacy version of the vulnerable RogueKiller Antirootkit Driver, . Have been identified on the VirusTotal platform, although the number is believed to be likely higher. The EDR-killer module was first detected and recorded in June 2024.

The issue with the Truesight driver, an arbitrary process termination bug affecting all versions below , has been previously weaponized to devise proof-of-concept (PoC) exploits such as Darkside and TrueSightKiller that are publicly available since at least November 2023.

In March 2024, SonicWall revealed details of a loader called DBatLoader that was found to have utilized the driver to kill security solutions before delivering the Remcos RAT malware.

Building on these developments, there is some evidence to suggest that the campaign could be the work of a threat actor called the Silver Fox APT due to some level of overlaps in the execution chain and the tradecraft employed, including the "infection vector, execution chain, similarities in initial-stage samples [...], and historical targeting patterns."

This is also reinforced by the fact that around 75% of the victims are located in China, with the remainder concentrated in other parts of Asia, primarily Singapore and. Taiwan.

The attack sequences involve the distribution of first-stage artifacts that are often disguised as legitimate applications and propagated via deceptive websites offering deals on luxury products and fraudulent channels in popular messaging apps like Telegram.

The samples act as a downloader, dropping the legacy version of the Truesight driver, as well as the next-stage payload that mimics common file types, such as PNG, JPG, and GIF. The second-stage malware then proceeds to retrieve another malware that, in turn, loads the EDR-killer module and the Gh0st RAT malware.

"While the variants of the legacy Truesight driver (version are typically downloaded and installed by the initial-stage samples, they can also be deployed directly by the EDR/AV killer module if the driver is not already present on the system," Check Point explained.

"This indicates that although. The EDR/AV killer module is fully integrated into the campaign, it is capable of operating independently of the earlier stages."

The module employs the BYOVD technique to abuse the susceptible driver for the purpose of terminating processes related to certain security software. In doing so, the attack offers an advantage in that it bypasses the Microsoft Vulnerable Driver Blocklist, a hash value-based Windows mechanism designed to protect the system against known vulnerable drivers.

The attacks culminated with the deployment of a variant of Gh0st RAT called HiddenGh0st, which is designed to remotely control compromised systems, giving attackers a way to conduct data theft, surveillance, and system manipulation.

As of December 17, 2024, Microsoft has updated the driver blocklist to include the driver in question, effectively blocking the exploitation vector.

"By modifying specific parts of the driver while preserving its digital signature, the attackers bypassed common detection methods, including the latest Microsoft Vulnerable Driver Blocklist and LOLDrivers detection mechanisms. Allowing them to evade detection for months," Check Point noted.

"Exploiting Arbitrary Process Termination vulnerability allowed the EDR/AV killer module to target and disable processes commonly associated with security solutions, further enhancing the campaign's stealth."

The Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, M...

CISA has warned US federal agencies to secure their systems against attacks exploiting vulnerabilities in Cisco and Windows systems.

Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries

Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.

The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025. Spanning 226 countries and regions. As of February 25, 2025, India has experienced a notable surge in infection rate, increasing from less than 1% (3,901) to (217,771).

"Vo1d has evolved to enhance its stealth, resilience. And anti-detection capabilities," QiAnXin XLab expressed. "RSA encryption secures network communication, preventing [command-and-control] takeover even if [the Domain Generation Algorithm] domains are registered by researchers. Each payload uses a unique Downloader, with XXTEA encryption and RSA-protected keys, making analysis harder."

The malware was first documented by Doctor Web in September 2024 as affecting Android-based TV boxes by means of a backdoor that's capable of downloading additional executables based on instructions issued by the command-and-control (C2) server.

It's not exactly clear how the compromises take place, although it's suspected to either involve some kind of a supply chain attack or the use of unofficial firmware versions with built-in root access.

XLab theorized that the rapid fluctuation in the botnet activity is likely due to its infrastructure being leased in specific regions to other criminal actors as part of what it noted is a "rental-return" cycle where the bots are leased for a set time period to enable illegal operations, after which they join the larger Vo1d network.

An analysis of the newer version of the ELF malware (s63) has found that it's designed to download, decrypt, and execute a second-stage payload that's responsible for establishing communications with a C2 server.

The decrypted compressed package (ts01) contains four files: , cv, vo1d, and It starts with the shell script launching the cv component. Which, in turn, launches both vo1d and the Android app after installation.

The vo1d module's primary function is to decrypt and load an embedded payload, a backdoor that's capable of establishing communication with a C2 server and downloading and executing a native library.

"Its core functionality remains unchanged," XLab introduced. "However, it has undergone significant updates to its network communication mechanisms, notably introducing a Redirector C2. The Redirector C2 serves to provide the bot with the real C2 server address, leveraging a hardcoded Redirector C2 and a large pool of domains generated by a DGA to construct an expansive network architecture."

For its part. The malicious Android app carries the package name "" in what's a clear attempt to masquerade as the legitimate Google Play Services ("") to fly under the radar. It sets up persistence on the host by listening for the "BOOT_COMPLETED" event so that it automatically runs after each reboot.

It's also engineered to launch two other components that have a similar functionality as that of the vo1d module. The attack chain paves the way for the the deployment of a modular Android malware named Mzmess that incorporates for four different plugins -.

Popa ("") and Jaguar ("") for proxy services.

Lxhwdg (""), whose purpose remains unknown due to its C2 server being offline.

Spirit ("") for ad promotion and traffic inflation.

Furthermore, the lack of infrastructural overlaps between Mzmess and Vo1d has raised the possibility that the threat behind the malicious activity may be renting the service to other groups.

"Currently. Vo1d is used for profit, but its full control over devices allows attackers to pivot to large-scale cyber attacks or other criminal activities [such as distributed denial-of-service (DDoS) attacks]," XLab unveiled. "Hackers could exploit them to broadcast unauthorized content."

The Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara. M...

A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection effo...

Opposition activists in Belarus as well as Ukrainian military and government organizations are the target of a new campaign that employs malware-laced...

FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services

Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware called FatalRAT.

"The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure," Kaspersky ICS CERT noted in a Monday investigation.

"The attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion of detection."

The activity has singled out government agencies and industrial organizations, particularly manufacturing, construction, information technology, telecommunications, healthcare, power and energy, and large-scale logistics and transportation. In Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong.

The lure attachments used in the email messages suggest that the phishing campaign is designed to go after Chinese-speaking individuals.

It's worth noting that FatalRAT campaigns have previously leveraged bogus Google Ads as a distribution vector. In September 2023, Proofpoint documented another email phishing campaign that propagated various malware families such as FatalRAT, Gh0st RAT, Purple Fox. And ValleyRAT.

An interesting aspect of both intrusion sets is that they have primarily targeted Chinese-language speakers and Japanese organizations. Some of these activities have been attributed to a threat actor tracked as Silver Fox APT.

The starting point of the latest attack chain is a phishing email containing a ZIP archive with a Chinese-language filename, which, when launched, launches the first-stage loader that. In turn, makes a request to Youdao Cloud Notes in order to retrieve a DLL file and a FatalRAT configurator.

For its part, the configurator module downloads the contents of another note from [.]com so as to access the configuration information. It's also engineered to open a decoy file in an effort to avoid raising suspicion.

The DLL, on the other hand, is a second-stage loader that's responsible for downloading and installing the FatalRAT payload from a server ("myqcloud[.]com") specified in the configuration, while displaying a fake error message about a problem running the application.

An significant hallmark of the campaign includes the use of DLL side-loading techniques to advance the multi-stage infection sequence and. Load the FatalRAT malware.

"The threat actor uses a black and white method where the actor leverages the functionality of legitimate binaries to make the chain of events look like normal activity," Kaspersky noted. "The attackers also used a DLL side-loading technique to hide the persistence of the malware in legitimate process memory."

"FatalRAT performs 17 checks for an indicator that the malware executes in a virtual machine or sandbox environment. If any of the checks fail, the malware stops executing."

It also terminates all instances of the process, and gathers information about the system and the various security solutions installed in it, before awaiting further instructions from a command-and-control (C2) server.

FatalRAT is a feature-packed trojan that's equipped to log keystrokes, corrupt Master Boot Record (MBR), turn on/off screen, search and delete user data in browsers like Google Chrome and Internet Explorer, download additional software like AnyDesk and UltraViewer, perform file operations, and start/stop a proxy, and terminate arbitrary processes.

It's currently not known who is behind the attacks using FatalRAT, although the tactical and instrumentation overlaps with other campaigns suggest that "they all reflect different series of attacks that are somehow related." Kaspersky has assessed with medium confidence that a Chinese-speaking threat actor is behind it.

"FatalRAT's functionality gives an attacker almost unlimited possibilities for developing an attack: spreading over a network, installing remote administration tools, manipulating devices, stealing, and deleting confidential information," the researchers mentioned.

"The consistent use of services and interfaces in Chinese at various stages of the attack, as well as other indirect evidence. Indicates that a Chinese-speaking actor may be involved."

Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malw...

The Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, M...

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, ...