Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
do son 
Gh0st RAT – encryption logic of the custom network protocol | Image: Check Point
A large-scale cyberattack campaign leveraging legacy drivers to disable endpoint security solutions has been uncovered by Check Point Research (CPR). The campaign, first detected in June 2024, exploits Truesight.sys (version 2.0.2)—a known vulnerable driver—to bypass Windows security mechanisms and execute sophisticated attacks. Attackers have modified over 2,500 unique variants of the driver, enabling them to remain undetected while compromising systems across Asia, with a primary focus on China, Singapore, and Taiwan.
CPR’s findings highlight that attackers specifically targeted version 2.0.2 of the Truesight.sys driver. This outdated version is not included in the Microsoft Vulnerable Driver Blocklist and bypasses detection mechanisms such as LOLDrivers.
According to CPR: “The attackers exploited the legacy version 2.0.2 of the Truesight driver to take advantage of a Windows policy loophole (Exception in Driver Signing Policy), allowing the driver to be loaded on the latest versions of Windows OS.”
This policy exception permits drivers with certificates issued before July 29, 2015, to be loaded—even on the latest Windows builds. Attackers capitalized on this loophole, ensuring that their malicious driver variants remained operational.
To avoid detection, attackers generated thousands of unique driver variants by slightly modifying the Portable Executable (PE) structure while maintaining the original digital signature. This technique allowed them to circumvent traditional hash-based detection mechanisms, making each file appear different while retaining the vulnerability.
Check Point observed: “We detected over 2,500 validly signed variants of this driver.” These modifications rendered security solutions ineffective, as no single hash could be used to identify all instances of the malicious driver.
The attack chain begins with first-stage downloaders, disguised as legitimate applications and distributed via phishing websites and messaging app channels. These malicious executables then deploy the EDR/AV killer module, which uses the modified Truesight driver to terminate security processes.
Once security protections are disabled, the attackers deliver their final payload. Along with the EDR/AV killer module, the initial-stage samples prepare the infected machine to deliver final-stage payloads, such as Gh0st RAT variants.
Gh0st RAT, a well-known remote access trojan (RAT), allows attackers to gain complete control over compromised systems, facilitating espionage, data theft, and lateral movement within networks.
The campaign’s infrastructure is hosted on a public cloud provider in China, with command-and-control (C2) servers also located in the region. Check Point reports that 75% of victims are in China, with additional infections observed in Singapore and Taiwan.
After CPR reported the attack to Microsoft Security Response Center (MSRC), an updated Microsoft Vulnerable Driver Blocklist was released on December 17, 2024, effectively preventing further exploitation of these legacy drivers.
