Summary: A large-scale cyberattack campaign has been discovered that exploits a vulnerable driver, Truesight.sys version 2.0.2, to disable endpoint security and deploy Gh0st RATs for malicious purposes. Over 2,500 unique driver variants were created to evade detection, primarily affecting systems in China, Singapore, and Taiwan. Following these findings, Microsoft updated its Vulnerable Driver Blocklist to mitigate further exploitation of these vulnerabilities.
Affected: Check Point Research, Microsoft, and targeted organizations in Asia (China, Singapore, Taiwan)
Keypoints :
- Attackers exploited the Truesight.sys driver to bypass Windows security policies, enabling sophisticated attacks.
- The use of unique driver variants, while maintaining the original digital signature, helped evade traditional detection mechanisms.
- The campaign resulted in widespread deployment of Gh0st RAT, allowing attackers complete control for espionage and data theft.
- Microsoft responded with an updated Vulnerable Driver Blocklist to prevent further exploitation.