Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign - Check Point Research

Check Point Research uncovered a large-scale campaign exploiting a vulnerable legacy driver, Truesight.sys, to deploy an EDR/AV killer module. The attackers generated over 2,500 variants of the driver to evade detection, leveraging a Windows policy loophole to load it on modern Windows systems. The campaign, primarily targeting China, involved initial-stage samples disguised as legitimate applications, ultimately delivering final-stage payloads like Gh0st RAT variants.