Select Page

Cybersecurity researchers have unearthed a novel rootkit signed by Microsoft that’s engineered to communicate with an actor-controlled attack infrastructure.

Trend Micro has attributed the activity cluster to the same actor that was previously identified as behind the FiveSys rootkit, which came to light in October 2021.

“This malicious actor originates from China and their main victims are the gaming sector in China,” Trend Micro’s Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said. “Their malware seems to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature.”

Multiple variants of the rootkit spanning eight different clusters have been discovered, with 75 such drivers signed using Microsoft’s WHQL program in 2022 and 2023.

Trend Micro’s analysis of some of the samples has revealed the presence of debug messages in the source code, indicating that the operation is still in the development and testing phase.

images from Hacker News