What is LOLDrivers? The Project That Brought Malicious Drivers Into the Light
LOLDrivers is the open project tracking vulnerable and malicious Windows drivers abused by ransomware and APT groups. Learn how driver-based attacks work and how defenders stop them.
Kernel-mode drivers operate at the deepest level of your Windows system, with privileges that surpass even administrator accounts. They're essential for hardware functionality and system operations. They're also the perfect weapon for attackers who want undetectable, persistent control over a compromised machine.
That's where LOLDrivers comes in.
Origins: Building the Driver Intelligence Arsenal
LOLDrivers started with a simple sneak peek in March 2023. As I posted on X:
"With lots of help from @_josehelps and @mattnotmax, I present a sneak peak of the LOLDrivers Project - Ability to search, access resources, hashes, CSV and json downloads as well. Coming soon. We're that much closer to a one stop driver shop."
The project emerged from years of incident response work where the same malicious and vulnerable drivers kept appearing across different attacks. Ransomware operators, APT groups, and commodity malware all leveraged kernel drivers to disable security software, hide processes, and maintain persistence. But there was no centralized resource tracking these drivers, their hashes, their certificates, and the techniques they enabled.
LOLDrivers changed that.
By April 5, 2023, we officially launched the project with a clear mission: "Introducing the Living Off The Land Drivers (LOLDrivers) project, a crucial resource that consolidates vulnerable and malicious drivers in one place to streamline research and analysis."
The timing wasn't coincidental. The cybersecurity community desperately needed this intelligence. Rootkits and bootkits were becoming more sophisticated, attackers were increasingly abusing signed drivers to bypass security controls, and defenders had no systematic way to identify which drivers represented real threats versus legitimate system components.
From Research to Real-World Defense
The LOLDrivers project gained serious momentum at SANS Summit in September 2023, where I presented "Breaching the Depths of the Abyss: Exposing Rootkits and Bootkits." The talk dove into how these advanced malware types embed themselves deep within system foundations, making detection as challenging as locating a submerged enemy submarine.
The presentation explored the key differences between bootkits (which compromise the boot process) and rootkits (which exploit kernel-level access), and how both navigate the abyssal zone of system internals to stay hidden from security controls. Most importantly, it demonstrated how the LOLDrivers project functions like an advanced sonar system-giving defenders the ability to identify and neutralize threats that were previously invisible.
The response from the security community validated what we already knew: defenders, researchers, and incident responders were all dealing with the same driver-based attacks but had no shared intelligence framework to fight back effectively.
How Attackers Abuse Drivers
Driver abuse has become one of the most powerful techniques in modern cyber attacks. Recent threat intelligence shows exactly why:
Ransomware groups rely on vulnerable drivers to disable EDR. Groups like BlackCat, LockBit, and Cuba ransomware have all deployed kernel drivers specifically to terminate security processes before deploying their payloads. The drivers operate with SYSTEM-level privileges that allow them to kill processes that even administrators can't touch.
APT groups use signed drivers for long-term persistence. State-sponsored threat actors leverage legitimately signed drivers—sometimes stolen certificates, sometimes drivers with known vulnerabilities—to maintain persistent access that survives system reboots and security software updates. The kernel-level access means they can hide from virtually every detection mechanism.
Commodity malware abuses drivers for privilege escalation. Even unsophisticated attackers now deploy vulnerable drivers to escalate from user-level access to kernel-level control. Once they have kernel access, they can disable security software, hide malicious processes, and steal credentials that would otherwise be protected.
Research from security vendors shows specific drivers appearing repeatedly across different attack campaigns. Drivers like GMER, Process Hacker, and various older hardware drivers with known vulnerabilities show up in breach after breach because they're signed, they're trusted by Windows, and they give attackers exactly what they need: unrestricted system access.
The pattern is consistent across threat actors: deploy a vulnerable but signed driver, exploit its weaknesses to gain kernel access, use that access to disable security controls, then proceed with the actual attack objective, whether that's ransomware deployment, data exfiltration, or long-term espionage.
The LOLDrivers project documents hundreds of these drivers, tracking not just the files themselves but their certificates, their known vulnerabilities, and the specific threat actors who've weaponized them in real attacks.
How LOLDrivers Helps Defenders and Researchers
LOLDrivers.io provides a searchable database of vulnerable and malicious drivers with comprehensive intelligence for each entry:
File hashes and signatures let you identify known-bad drivers in your environment. Whether you're hunting through forensic artifacts or monitoring endpoint telemetry, you can quickly determine if a driver hash matches a known threat.
Certificate information reveals which code-signing certificates have been compromised or abused. When attackers steal legitimate certificates or leverage vulnerable signed drivers, LOLDrivers documents the certificate chains so defenders can block entire families of related threats.
CVE mappings connect drivers to their specific vulnerabilities. If a driver has a known security flaw that attackers exploit for privilege escalation or security bypass, LOLDrivers provides the CVE details and exploitation context.
Threat intelligence references link drivers to real-world attacks. When a specific driver appears in a ransomware campaign or APT operation, LOLDrivers documents those incidents so you understand the actual threat context, not just theoretical risk.
Detection artifacts give you the technical indicators needed for hunting. Beyond just file hashes, LOLDrivers provides registry keys, file paths, and behavioral indicators that help incident responders find evidence of driver abuse during investigations.
For security researchers, LOLDrivers serves as a centralized intelligence hub for understanding the driver threat landscape. Instead of manually tracking drivers across scattered blog posts, vendor reports, and incident writeups, researchers can access structured data with CSV and JSON exports that integrate into their own analysis workflows.
For defenders, LOLDrivers transforms abstract threat intelligence into actionable security policies. When you know which drivers attackers abuse, you can proactively block them before they're weaponized in your environment.
How MagicSword Stops Driver Abuse
Intelligence about malicious drivers only matters if you can actually stop them from loading on your systems. That's where MagicSword's driver blocking capabilities come in.
MagicSword Application Control includes powerful driver signing policies that control which kernel-mode drivers can load on your endpoints. MagicSword integrates LOLDrivers intelligence directly into policies, giving you kernel-level enforcement against driver-based attacks.
Here's what that looks like in practice:
Our platform continuously updates Application Control policies with LOLDrivers intelligence, file hashes, certificate information, and publisher details for hundreds of vulnerable and malicious drivers. When an attacker tries to load a known-bad driver like GMER or Process Hacker, MagicSword blocks it at the kernel level before it ever executes. No behavioral analysis required, no machine learning uncertainty, just policy-based enforcement that says "this driver is not allowed on this system."
The threat intelligence layer provides immediate context. When MagicSword blocks a driver, you don't just get a generic "driver blocked" alert. You get attribution showing which threat actors use that driver, which CVEs it exploits, which ransomware groups deploy it, and executive-friendly visualizations that communicate the actual risk prevented.
The difference is prevention at the deepest system level. EDR tools operate in user mode and can be disabled by kernel-mode malware. Antivirus relies on signatures that attackers easily bypass with slightly modified drivers. MagicSword enforces at the kernel itself - before malicious drivers ever gain the privileges they need to compromise your system.
For organizations dealing with sophisticated threats, this becomes critical. When a ransomware group deploys a vulnerable driver to kill your security software, Application Control stops the driver from loading in the first place. The attack chain breaks before it starts.
For MSPs managing diverse client environments, driver blocking scales across your entire customer base. MagicSword's policies automatically incorporate new LOLDrivers intelligence as threats emerge, ensuring that clients stay protected against the latest driver-based attacks without manual policy updates.
The Bottom Line
LOLDrivers started as a research project and became essential defensive infrastructure because it addresses a fundamental problem: kernel-mode drivers give attackers God-mode access, and most organizations have no visibility into which drivers should actually be running in their environments.
The community-driven approach means the catalog stays current with new vulnerable drivers, new attacker techniques, and new threat actor campaigns. When a researcher discovers a new driver being abused, when a ransomware group deploys a previously unknown driver, when a vendor's driver has a critical vulnerability - LOLDrivers captures it.
But intelligence alone doesn't stop kernel-mode attacks. You need enforcement at the kernel level that turns threat knowledge into defensive action before malicious drivers ever execute.
MagicSword bridges that gap, turning LOLDrivers intelligence into Application Control policies that stop attackers from achieving the kernel-level access that makes modern threats so devastating. Because in 2026, defending against driver abuse isn't optional anymore. It's the foundation of preventing the most sophisticated attacks that traditional security tools simply can't stop.
Last updated: February 2026
Want to keep up with how modern attacks actually work? Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence from the team tracking abused tools every day.
If you want to see how this intelligence turns into real blocking, stopping abused tools before they execute, you can book a demo here.
Written by
Michael Haag
Threat Researcher
In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.
