Cybercriminals are weaponizing over 2,500 legitimate security tools to disable endpoint protection before deploying ransomware and remote access malware. This sophisticated campaign leverages a trusted Windows security driver, known as truesight.sys from Adlice Software’s RogueKiller antivirus, to systematically shut down critical security defenses on compromised systems. The technique allows attackers to bypass security measures, leaving organizations vulnerable to devastating cyberattacks.
Researchers at Check Point initially brought attention to this trend, highlighting how attackers exploit legacy driver signing rules. These rules allow pre-2015 signed drivers to load even on modern operating systems like Windows 11. By gaining kernel privileges through the vulnerable TrueSight driver, malicious actors can effectively neutralize Endpoint Detection and Response (EDR) and antivirus solutions without generating alerts. This widespread abuse has been observed across multiple threat groups and regions, with new driver variants emerging regularly, indicating a broad adoption of this evasion tactic.
Hackers Weaponize Security Tools to Terminate Endpoint Protection
The core of this attack lies in the TrueSight 2.0.2 driver’s ability to terminate nearly any security process on a Windows machine. The driver exposes an Input/Output Control (IOCTL) command that accepts attacker-controlled input, enabling the forcible termination of protected EDR agents and antivirus engines. Once the driver is loaded with kernel-level privileges, malware can operate with the same permissions as legitimate security software, circumventing user-mode tamper protections entirely.
The implications for cybersecurity defenses are significant. With EDR agents disabled at the kernel level, crucial telemetry data collection ceases, and alerts fail to trigger. This creates an environment where ransomware or remote access trojans can execute with minimal to no resistance. Victims often only become aware of the breach when their files are encrypted or sensitive data has been exfiltrated, underscoring the stealth and effectiveness of this method. The sheer volume of driver variants and their high evasion rate against signature-based detection make this technique particularly perilous for enterprises relying on traditional cybersecurity defenses.
Infection Chain: From Phishing to Full Control
The attack lifecycle typically begins with common initial access vectors such as malicious phishing emails, deceptive download websites, or compromised social media channels like Telegram. Users are enticed to run a disguised installer, which acts as a first-stage downloader. This initial executable fetches additional components from attacker-controlled servers, which are often hosted on cloud infrastructure.
In the subsequent stage, the malware establishes persistence on the compromised system. This is often achieved through scheduled tasks and DLL side-loading techniques, ensuring the malware remains active even after system reboots and can blend in with legitimate system processes. Following persistence, an EDR killer module is deployed, which is heavily obfuscated using tools like VMProtect to impede reverse engineering efforts. Analysts have identified that this module is capable of targeting approximately 200 different security products from various vendors, including prominent names like CrowdStrike, SentinelOne, Kaspersky, and Symantec, demonstrating its broad applicability across diverse enterprise security infrastructures.
Before executing the final payload, the module downloads and installs the TrueSight driver, typically as a Windows service named TCLService. A crafted IOCTL request is then sent to the driver, initiating the termination of all active security processes. Once defenses are neutralized, the final payload, which often consists of a HiddenGh0st remote access trojan or a ransomware variant, executes without detection. The entire process, from the initial user click on a phishing link to achieving full system control, can reportedly be completed in as little as 30 minutes, drastically reducing the window for any potential detection and response efforts.
Moving forward, cybersecurity researchers will likely focus on developing more robust detection mechanisms for kernel-level driver abuse and identifying new methods to counter these sophisticated evasion techniques. The continuous evolution of such attack vectors highlights the ongoing arms race between cybercriminals and defenders in the digital landscape.