TrueSightKiller: 2,500+ Weaponized Security Tool Variants Bypassing Microsoft's Defenses

The Problem

A massive campaign is exploiting a legitimate security tool to kill your defenses. Over 2,500 validly signed variants of the truesight.sys driver,a component of Adlice Software's RogueKiller antivirus suite, are being weaponized by threat actors to terminate endpoint protection before deploying ransomware and remote access trojans.

The irony is devastating: a driver designed to protect systems from malware is now the primary weapon used to kill security software.

Check Point Research uncovered this campaign in January 2025, documenting how attackers exploit a Windows driver signing policy loophole that allows pre-2015 signed drivers to load on modern Windows 11 systems.

Key Facts:

• 2,500+ unique variants with valid digital signatures
• Certificate manipulation bypassing Microsoft's Vulnerable Driver Blocklist
• Active since June 2024 with new samples appearing weekly
• Multiple threat actors including Silver Fox, ransomware groups, and APTs
• 97% AV evasion rate - only 2 of 73 engines detecting

MagicSword is actively monitoring this threat and providing real-time intelligence to help defenders block these attacks.

How the Attack Works

The Weaponized Security Tool

TrueSight.sys is a legitimate kernel-mode driver from Adlice Software's RogueKiller antivirus, a tool security professionals use worldwide. But the legacy version 2.0.2 contains a critical vulnerability: arbitrary process termination.

Attackers discovered they could send a specific IOCTL command (0x22E044) to terminate any process on the system, including protected security software that normally can't be killed from user-mode.

Even worse, as Check Point documented, attackers can manipulate the driver's PE structure while maintaining its valid digital signature, creating thousands of unique variants that evade hash-based detection.

The Attack Chain

Initial Compromise:

• Phishing emails with malicious attachments
• Fake websites offering legitimate software
• Compromised Telegram channels
• Watering hole attacks

Multi-Stage Deployment:

1. Stage 1: Downloader masquerading as legitimate installer
2. Stage 2: Establishes persistence via scheduled tasks, uses DLL side-loading
3. Stage 3: Deploys EDR killer module + final payload (Gh0st RAT)

The EDR Killer Module:

Check Point researchers found a sophisticated module (protected by VMProtect) that targets 192 security product processes, including:

• CrowdStrike Falcon
• SentinelOne
• Sophos Endpoint
• Trend Micro
• Kaspersky, ESET, Symantec, McAfee
• ...and 184 others

The module's actions:

1. Downloads TrueSight driver if not present
2. Installs driver as service named TCLService
3. Sends IOCTL to terminate all targeted security processes
4. Deletes security software from disk
5. Deploys final payload with zero defensive visibility

Time from initial compromise to full control: As little as 30 minutes.

The Technical Trick: Why Traditional Defenses Fail

Certificate Manipulation

Attackers aren't using unsigned malware or stolen certificates, they're manipulating a validly signed driver in ways that bypass all traditional defenses.

Check Point's analysis revealed attackers modify just 8 bytes of the driver:

• 4 bytes: CheckSum field (not validated during certificate checking)
• 4 bytes: Certificate padding (outside cryptographically signed data)

This creates 2^64 possible unique file hashes while maintaining the driver's valid digital signature.

Microsoft's Blocklist Gap

Microsoft's Vulnerable Driver Blocklist uses TBS (To Be Signed) hash values to block malicious certificates. The TrueSight certificate's TBS hash (1D7E838ACCD498C2E5BA9373AF819EC097BB955C) IS in Microsoft's blocklist, but it's associated with different vulnerable drivers (Kaspersky, Zemana).

The blocklist entry doesn't specifically name truesight.sys, so version 2.0.2 slips through. Microsoft didn't close this gap until December 17, 2024, six months after the campaign began.

Real-World Impact

Who's Using This?

Check Point's analysis attributes the primary campaign to Silver Fox, a financially motivated threat actor based in China. However, the technique has proliferated:

• Silver Fox - Primary operator (June 2024 - present)
• Ransomware groups - RansomHub, Qilin, INC, BlackCat
• APT groups - Nation-state actors
• Commodity malware - Now available in underground forums

Geographic Distribution:

• 75% - Mainland China
• 15% - Singapore, Taiwan, Hong Kong
• 10% - Other Asia-Pacific regions

Infrastructure: Alibaba Cloud China regions (oss-cn-hangzhou and others)

The Final Payload

Check Point identified the final payload as HiddenGh0st, a Gh0st RAT variant that provides:

• Complete remote system control
• Keylogging and screen capture
• Data exfiltration
• Webcam/microphone surveillance
• Dynamic C2 communication

The combination of EDR killing + full remote access = complete compromise.

Why Traditional Defenses Are Failing

Hash-Based Detection is Obsolete

The math:

• 8 bytes modified = 2^64 possible variants
• Only 2,500 detected so far
• Attackers generate new variants on-demand
• Each variant has a valid digital signature

By the time your threat feed includes one hash, attackers have moved to hundreds of new variants.

EDR Bypass is Built-In

Hunter Strategy notes that while major EDR solutions have tamper protection, TrueSight can still disable security processes because:

1. The driver loads before EDR kernel modules can block it
2. Kernel-level termination bypasses user-mode tamper protection
3. Valid signature makes it appear legitimate to security software
4. Multiple variants ensure if one is blocked, others succeed

Signature-Based AV is Blind

VirusTotal detection rates:

• Primary variant: 2/73 engines (2.7%)
• Renamed variants: 5/73 engines (6.8%)
• Modified variants: Often 0/73 engines (0%)

Traditional antivirus is essentially useless against this threat.

Why Generic Threat Feeds Aren't Enough

Generic feeds give you hashes and IP addresses that are obsolete by the time you receive them. TrueSightKiller's polymorphic nature means new hashes are generated constantly.

MagicSword's approach:

• Certificate-based indicators that are durable across variants
• Driver evolution tracking to predict new evasion techniques
• Threat group tooling to understand which threats target your industry
• Actionable context, not just raw IOCs

Key Indicators of Compromise

Filenames to Monitor

- truesight.sys (original name)

- 189atohci.sys (renamed variant - ~300 samples)

- TrueSightKiller*.exe (loader variants)

- S.dll (EDR killer module)

Certificate Information

Publisher: Adlice Software

Issuer: Sectigo Public Code Signing CA EV R36

TBS Hash: 1D7E838ACCD498C2E5BA9373AF819EC097BB955C

Status: Valid (but weaponized)

Signed Date: Prior to July 29, 2015

Behavioral Indicators

- Sequential termination of 10+ security processes within 60 seconds

- Service creation: TCLService

- Scheduled tasks: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 [random]

- Driver loads from C:\Windows\System32\drivers\189atohci.sys

- Connections to *.oss-cn-*.aliyuncs.com domains

Immediate Actions for Defenders

Critical Steps (Next 24 Hours)

1. Deploy Microsoft's December 17, 2024 Vulnerable Driver Blocklist Update
   • This is NOT automatic, requires manual deployment
   • Blocks all TrueSight 2.0.2 variants
   • Deploy via Group Policy to all Windows systems
2. Hunt Your Environment
   • Search for truesight.sys and 189atohci.sys in System32\drivers\
   • Check for TCLService in services registry
   • Review driver loading events in Sysmon logs
3. Enable Certificate-Based Blocking
   • Block TBS hash: 1D7E838ACCD498C2E5BA9373AF819EC097BB955C for truesight.sys
   • Use publisher + filename rules, not just hashes
   • Test in audit mode before enforcing
4. Subscribe to MagicSword's EDR Killer Feed
   • Get real-time intelligence on driver-based threats
   • Receive updated WDAC policies as new threats emerge
   • Access analyst-verified IOCs with attribution context

Strategic Defenses

For Security Leaders:

• Implement Windows Defender Application Control (WDAC)
• Enable Hypervisor-Protected Code Integrity (HVCI)
• Assume EDR compromise is possible, implement defense-in-depth
• Budget for specialized threat intelligence beyond generic feeds

For Security Teams:

• Monitor for mass security process termination patterns
• Alert on IOCTL 0x22E044 abuse
• Track scheduled tasks with Edge update naming patterns
• Hunt for drivers signed before July 29, 2015

The Bigger Picture

TrueSightKiller highlights a disturbing trend: the weaponization of legitimate security tools.

The Security Paradox:

• Security tools need kernel access to detect rootkits
• Kernel access is exactly what attackers need to disable defenses
• Valid signatures are required for driver loading
• Valid signatures can be manipulated without invalidating them

Industry Implications:

For Security Vendors:

• Better certificate hygiene required
• Runtime integrity checks beyond signature validation
• Assume your driver will be weaponized, design accordingly

For Microsoft:

• TBS blocklist needs driver-specific mappings
• Windows policy exception for pre-2015 drivers is a systemic vulnerability
• Automatic blocklist updates should be default

For Defenders:

• Hash-based blocking is insufficient
• Certificate + behavior-based detection is critical
• Assume legitimate tools will be weaponized
• Defense-in-depth is mandatory

The Bottom Line

TrueSightKiller demonstrates that even legitimate, properly signed security tools can become weapons. With 2,500+ variants actively bypassing defenses and new samples appearing weekly, this threat isn't going away.

Key Takeaways:

1. Valid signatures ≠ Safe - Certificate manipulation allows thousands of variants
2. Hash-blocking is obsolete - Polymorphic variants defeat signature-based detection
3. Microsoft's blocklist has gaps - TBS hash bypass shows systemic issues
4. EDR can be killed - Kernel-level attacks bypass user-mode protections
5. Certificate-based blocking is essential - Only way to stop polymorphic threats

The challenge: New driver exploits will continue to emerge. TrueSightKiller won't be the last. Attackers have learned that weaponizing legitimate tools is effective.

The solution: Proactive threat intelligence that tracks driver-based threats before they become widespread.

That's where MagicSword comes in.

Protect Your Organization

MagicSword's EDR Killer Feed provides:

• Certificate-based blocking for all driver variants
• Real-time monitoring of emerging driver threats
• Integration-ready Application Control policies

We don't just tell you what happened. We tell you what's happening now and what's coming next.

Learn more:

• 🔗 Visit: https://portal.magicsword.io/book-demo

Free Resources:

• LOLDrivers Project - Living Off the Land Drivers databas

Additional Resources

Primary Research:

• Check Point: Large-Scale Exploitation of Legacy Driver
• Hunter Strategy: TrueSight.sys Driver Exploited
• Aon Cyber Labs: Yours Truly Signed

Last Updated: October 9, 2025

Threat Level: Critical

Campaign Status: Active

MagicSword Monitoring: Ongoing

#TrueSightKiller #ThreatIntelligence #EDRKiller #BYOVD #WindowsSecurity #DriverExploitation #Cybersecurity #MagicSword #LOLDrivers #InfoSec

MITRE ATT&CK: T1562.001 (Impair Defenses), T1068 (Privilege Escalation), T1543.003 (Windows Service), T1014 (Rootkit), T1574.002 (DLL Side-Loading)