Signed Drivers Fueling Kernel Attacks: 620+ Malicious Drivers & 80+ Compromised Certs Target Windows
Malicious actors are increasingly leveraging digitally signed drivers to carry out stealthy attacks on the Windows kernel, circumventing standard security mechanisms and enhancing their ability to remain undetected. Despite the presence of safeguards such as PatchGuard, Driver Signature Enforcement (DSE), and Hypervisor-Protected Code Integrity (HVCI), threat campaigns exploit trusted processes and infrastructure to inject code with the highest system privileges—at the very core of the operating system.
An extensive analysis by Group-IB uncovered over 620 malicious drivers and more than 80 compromised certificates since 2020. The investigation revealed the emergence of a robust and sophisticated ecosystem wherein digital signatures and legitimate trust channels are co-opted to cloak malicious modules.
Operating within ring 0, the Windows kernel grants attackers unfettered control over critical components—memory, threads, and hardware interactions. This enables the disabling of antivirus solutions, evasion of threat detection systems, and the modification of OS behavior without leaving obvious traces.
One method of infiltration involves abusing the Windows Hardware Compatibility Program (WHCP) and Extended Validation (EV) certificates to sign drivers that are visually indistinguishable from legitimate ones. Through this subterfuge, malicious code easily penetrates kernel-level defenses. In 2022 alone, Group-IB identified more than 250 such drivers and 34 certificates linked to malicious activity. Metadata analysis indicates that many of these cases trace back to Chinese entities, though Russian-speaking actors are also active in this shadow market.
Complicating matters further are kernel loaders, which serve as the initial stage of attack. These loaders insert secondary drivers—signed or unsigned—into memory, amplifying stealth and adaptability. Well-known malware such as FiveSys and POORTRY have been employed by ransomware groups like Cuba and LockBit. These loaders facilitate the retrieval of malicious payloads from command-and-control servers or local storage, all while evading detection.
Particularly concerning is the underground trade in EV certificates and WHCP accounts, with prices ranging from $260 to as much as $15,000. Often acquired through fraudulent company registrations or stolen identities, these certificates fall into the hands of low-skilled attackers and are then used to install drivers that disable a victim’s security infrastructure.
The analysis also revealed that disparate campaigns frequently utilize the same signing infrastructure. For example, the RedDriver malware was seen both in browser hijacking schemes and in tools designed for persistent device control. Since 2020, there has been a notable shift toward WHCP-certified drivers over standard EV-signed ones, reflecting a deeper penetration into Microsoft’s trust chain by threat actors.
A critical weakness lies in the WHCP certification process itself: possessing an EV certificate, registering in the Microsoft Partner Center, and passing driver stability tests. Although certification authorities are nominally required to verify the legal existence of companies, in practice, this often amounts to little more than a phone call—leaving exploitable gaps for well-prepared adversaries.
The situation demands a thorough reassessment of current practices. Tighter issuance protocols, including in-person verifications, and enhanced collaboration between certificate authorities, OS vendors, and the cybersecurity community are essential. Only through such concerted efforts can the abuse of trusted channels for kernel-level malware infiltration be curtailed.