Attackers have reportedly exploited a vulnerable Windows driver, Truesight.sys, to bypass Endpoint Detection and Response (EDR) systems and deploy the HiddenGh0st RAT malware. Security researchers from Check Point have identified over 2,500 variants of the driver, which have been actively used in large-scale malware campaigns.
How Attackers Are Exploiting Truesight.sys
The Truesight.sys driver is linked to Adlice’s RogueKiller Antirootkit tool, with a critical vulnerability present in versions below 3.4.0. Hackers are leveraging an outdated 2.0.2 version of the driver to conduct Bring Your Own Vulnerable Driver (BYOVD) attacks, allowing them to disable security software before deploying malware.
According to Check Point’s report, threat actors have modified the PE (Portable Executable) components of the driver while maintaining its valid digital signature. This tactic enables attackers to evade detection by traditional security solutions, including Microsoft’s Vulnerable Driver Blocklist.
2,500+ Malicious Variants Discovered
Over 2,500 distinct versions of Truesight.sys have been found on VirusTotal, suggesting widespread exploitation. The attack first gained attention in June 2024, when cybersecurity experts detected an EDR-killer module designed to neutralize security defenses. The modified driver versions are used to execute arbitrary process termination, a technique that allows attackers to disable security tools and remain undetected.
Historical Exploitation of Truesight.sys
This vulnerability has been exploited in previous attacks, with Proof-of-Concept (PoC) exploits like Darkside and TrueSightKiller circulating online since November 2023. In March 2024, SonicWall reported that a loader named DBatLoader had been using Truesight.sys to disable security solutions before deploying the Remcos RAT malware.
Potential Link to Silver Fox APT
Cybersecurity analysts suspect that a group known as Silver Fox APT may be behind these attacks. The campaign shows similarities in infection methods, execution chains, and targeting patterns previously associated with the group. Threat actors are distributing malware through deceptive websites offering luxury product deals and fraudulent Telegram channels.
Multi-Stage Attack Chain
The attack follows a structured multi-stage execution process:
Initial Infection: Victims download first-stage malware disguised as legitimate applications.
Truesight.sys Deployment: The malware drops the vulnerable Truesight.sys driver onto the system.
Payload Execution: The second-stage malware disguises itself as common file types (PNG, JPG, GIF) to evade detection.
EDR-Killer Activation: Attackers use the BYOVD technique to terminate security processes.
HiddenGh0st RAT Deployment: The final payload is delivered, granting attackers remote control over infected systems.
Bypassing Microsoft’s Security Measures
Microsoft has attempted to counter these attacks by updating its Vulnerable Driver Blocklist as of December 17, 2024, to include Truesight.sys. However, Check Point researchers note that attackers have managed to bypass this protection by subtly modifying the driver’s structure while preserving its digital signature. This allowed them to evade Microsoft’s LOLDrivers detection and remain undetected for months.
HiddenGh0st RAT
The ultimate goal of this attack is to deploy HiddenGh0st RAT, a stealthy variant of the notorious Gh0st RAT malware. This Remote Access Trojan (RAT) enables attackers to:
Steal sensitive data from compromised devices.
Monitor user activity through keylogging and screen captures.
Execute malicious commands to control the infected system.
Mitigation
To prevent these attacks, security teams should implement the following measures:
Update Security Software: Ensure all security tools and endpoint defenses are updated with the latest patches.
Disable Vulnerable Drivers: Block outdated versions of Truesight.sys to prevent BYOVD exploitation.
Enable Driver Blocklists: Utilize Microsoft’s Vulnerable Driver Blocklist and regularly update it.
Monitor Unusual Activity: Detect and investigate unusual process terminations, which may indicate a BYOVD attack.
Educate Employees: Train staff to recognize phishing attempts and avoid downloading suspicious files.
Conclusion
The exploitation of Truesight.sys highlights the ongoing evolution of cyber threats and the growing sophistication of attackers. By leveraging BYOVD tactics, hackers can neutralize security defenses and execute high-impact malware campaigns. As attackers continue to refine their techniques, organizations must stay proactive by strengthening their security posture and adopting a layered defense strategy.
With Microsoft now addressing this vulnerability, it remains to be seen how threat actors will adapt their methods. In the meantime, businesses should remain vigilant and take immediate action to protect their systems from these evolving cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Chinese Salt Typhoon Hackers Exploit Cisco Flaw CVE-2018-0171 to Target U.S. Telecoms