← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
WHITE eric.ford 2025-02-24 Modified: 2025-03-26
20
IOCs
MEDIUM VOLUME
Attackers are exploiting a legacy Truesight driver, deploying over 2,500 variants to disable security software on Windows systems. This large-scale abuse highlights the urgency of securing outdated drivers and enforcing stricter security policies. Check Point Research found that attackers modify Truesight.sys v2.0.2 to bypass Windows protections, evade the Microsoft Blocklist, and deploy malware like Gh0st RAT. Most victims are in China and Asia. Microsoft updated its blocklist on Dec. 17, 2024, to counteract this threat.
edrav killergh0st ratstage3truesighttbs hashstage2adlicenullsignerchinavmprotectdwordfirstjunedarksidevirustotalstagestrojangh0st
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Gh0st Truesight
Indicators of Compromise (2 / 20 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0c997b061e3c66bd9e927c1288eb1cc7 MD5 of 3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b 2025-02-24
FileHash-MD5 cb551711d843a6e4c2972c9113e52481 MD5 of 9446165c038e30d89a877728d767a791b4beec6755834d7eeac5f3c418d4834c 2025-02-24
References (1)
↗ https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/