How Attackers Exploited A Legacy Windows Driver To Create A Massive Attack

The legacy driver went undetected by security software and block lists.

Driver software is a common threat vector, with Windows drivers particularly prone to vulnerabilities.

Microsoft acknowledged driver threats in its ecosystem in a January 2025 post on its blog:

“To allow unique software solutions to be created by partners, Windows is an open ecosystem that allows full and direct kernel memory access. This access is helpful for enabling advanced functionalities but comes with significant responsibilities. ... When writing drivers, developers must follow secure coding guidelines to prevent vulnerabilities that could be exploited by malicious actors.”

Because drivers are often given operating system kernel access and elevated system privileges, they are often used by hackers to spread malware and launch other attacks.

Security company Check Point Software Technologies in a blog post Monday highlighted how one driver exploit launched a massive attack.

Check Point researchers discovered a vulnerability involving an older version of Truesight.sys, a driver that is part of Aldice’s RogueKiller security software. Later versions of the driver have been protected from the vulnerability since 2015, when Microsoft began preventing unsigned drivers from being loaded on Windows systems.

The legacy version, 2.0.2, avoids detection by security software and block lists.

Not only does the driver avoid detection but attackers modified the driver and created 2,500 unique variants of it, Check Point said. These variants were used by hackers to create a massive widespread attack, mostly compromising machines throughout Asia.

Check Point reported its findings to Microsoft, which has since updated its vulnerable driver block list to include the legacy driver.

However, damage was done. And Check Point makes the case in its post about how security needs to move beyond traditional signature-based detection methods. Instead, “behavioral analysis, heuristic scanning and driver integrity checking can help identify suspicious driver activity, even when traditional blocklists do not flag the driver itself,” Check Point said in its post.

You can read the Check Point post here in its entirety.