← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
WHITE eric.ford 2025-02-24 Modified: 2025-03-26
20
IOCs
MEDIUM VOLUME
Attackers are exploiting a legacy Truesight driver, deploying over 2,500 variants to disable security software on Windows systems. This large-scale abuse highlights the urgency of securing outdated drivers and enforcing stricter security policies. Check Point Research found that attackers modify Truesight.sys v2.0.2 to bypass Windows protections, evade the Microsoft Blocklist, and deploy malware like Gh0st RAT. Most victims are in China and Asia. Microsoft updated its blocklist on Dec. 17, 2024, to counteract this threat.
edrav killergh0st ratstage3truesighttbs hashstage2adlicenullsignerchinavmprotectdwordfirstjunedarksidevirustotalstagestrojangh0st
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Gh0st Truesight
Indicators of Compromise (5 / 20 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 0bf095b845b69928b5d7dfd1c42ae4f90feb8dc97f7830598c93e848877021fb 2025-02-24
FileHash-SHA256 3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b 2025-02-24
FileHash-SHA256 8a955633b93b27bc6c0751064a6ad5d6c0bf7b096d72779ced1a1a73b74cec31 2025-02-24
FileHash-SHA256 9446165c038e30d89a877728d767a791b4beec6755834d7eeac5f3c418d4834c 2025-02-24
FileHash-SHA256 cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 2025-02-24
References (1)
↗ https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/