← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
WHITE eric.ford 2025-02-24 Modified: 2025-03-26
20
IOCs
MEDIUM VOLUME
Attackers are exploiting a legacy Truesight driver, deploying over 2,500 variants to disable security software on Windows systems. This large-scale abuse highlights the urgency of securing outdated drivers and enforcing stricter security policies. Check Point Research found that attackers modify Truesight.sys v2.0.2 to bypass Windows protections, evade the Microsoft Blocklist, and deploy malware like Gh0st RAT. Most victims are in China and Asia. Microsoft updated its blocklist on Dec. 17, 2024, to counteract this threat.
edrav killergh0st ratstage3truesighttbs hashstage2adlicenullsignerchinavmprotectdwordfirstjunedarksidevirustotalstagestrojangh0st
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Gh0st Truesight
Indicators of Compromise (20)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0c997b061e3c66bd9e927c1288eb1cc7 MD5 of 3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b 2025-02-24
FileHash-MD5 cb551711d843a6e4c2972c9113e52481 MD5 of 9446165c038e30d89a877728d767a791b4beec6755834d7eeac5f3c418d4834c 2025-02-24
FileHash-SHA1 1d7e838accd498c2e5ba9373af819ec097bb955c 2025-02-24
FileHash-SHA1 4b49b6c4124947ae5a460d8f2a6c502d71641e7c SHA1 of 9446165c038e30d89a877728d767a791b4beec6755834d7eeac5f3c418d4834c 2025-02-24
FileHash-SHA1 eec05de41f47192338cf46869a02daf9ee1f08e4 SHA1 of 3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b 2025-02-24
FileHash-SHA256 0bf095b845b69928b5d7dfd1c42ae4f90feb8dc97f7830598c93e848877021fb 2025-02-24
FileHash-SHA256 3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b 2025-02-24
FileHash-SHA256 8a955633b93b27bc6c0751064a6ad5d6c0bf7b096d72779ced1a1a73b74cec31 2025-02-24
FileHash-SHA256 9446165c038e30d89a877728d767a791b4beec6755834d7eeac5f3c418d4834c 2025-02-24
FileHash-SHA256 cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 2025-02-24
URL http://8.210.12.177:9011 2025-02-24
URL http://8.212.102.228:9000 2025-02-24
URL http://bung486.com/oot.setup.w06.exe 2025-02-24
URL https://vmpsoft.com/vmprotect 2025-02-24
URL https://www.adlice.com/ 2025-02-24
URL https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/gh0st-rat-spreads-using-fake-telegram-download-page 2025-02-24
domain bung486.com 2025-02-24
domain vmpsoft.com 2025-02-24
hostname www.adlice.com 2025-02-24
hostname www.sangfor.com 2025-02-24
References (1)
↗ https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/