{
	"id": "de1cb36b-6ccb-4dc5-9531-d03294470658",
	"created_at": "2026-04-06T00:08:37.694796Z",
	"updated_at": "2026-04-10T13:11:45.101605Z",
	"deleted_at": null,
	"sha1_hash": "53a93e67a21359c88e2be6d2db8d7e8a9525f4fa",
	"title": "Investigating and Mitigating Malicious Drivers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46121,
	"plain_text": "Investigating and Mitigating Malicious Drivers\r\nBy simon-pope\r\nPublished: 2021-06-25 · Archived: 2026-04-05 18:19:06 UTC\r\nThe security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access\r\nto environments across a wide range of vectors. As the industry moves closer to the adoption of a Zero Trust\r\nsecurity posture with broad and layered defenses, we remain committed to sharing threat intelligence with the\r\ncommunity to shine a light on the latest techniques and exploits of attackers so the industry can better protect\r\nitself.\r\nMicrosoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor\r\nsubmitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built\r\nby a third party. We have suspended the account and reviewed their submissions for additional signs of malware.\r\nNo Evidence of Certificate Exposure\r\nWe have seen no evidence that the WHCP signing certificate was exposed. The infrastructure was not\r\ncompromised. In alignment with our Zero Trust and layered defenses security posture, we have built-in detection\r\nand blocking of this driver and associated files through Microsoft Defender for Endpoint. We are also sharing\r\nthese detections with other AV security vendors so they can proactively deploy detections.\r\nThe actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise\r\nenvironments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to\r\nspoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an\r\nadvantage in games and possibly exploit other players by compromising their accounts through common tools like\r\nkeyloggers.\r\nIt’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker\r\nmust either have already gained administrative privileges in order to be able to run the installer to update the\r\nregistry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.\r\nWe will be sharing an update on how we are refining our partner access policies, validation and the signing\r\nprocess to further enhance our protections. There are no actions customers should take other than follow security\r\nbest practices and deploy Antivirus software such as Windows Defender for Endpoint.\r\nJust like our defenders, our adversaries are creative and determined. Because of this, Microsoft approaches\r\nsecurity with an assume breach mentality and layered defenses. We work tirelessly alongside our industry partners\r\nto ensure the community as a whole is aware of new attack tools, tactics and procedures that we have observed or\r\nthat have been reported through responsible disclosure. By sharing the information we’ve learned with this report,\r\nwe are raising awareness of these techniques so that more protections can be built in across the industry and to\r\nincrease the degree of difficulty for attackers.\r\nhttps://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/\r\nPage 1 of 4\n\nAdditional Information on the Windows Hardware Compatibility Program\r\nMicrosoft Defender and Windows Security teams work diligently with driver publishers to detect security\r\nvulnerabilities before they can be exploited by malicious software. Microsoft Defender for Endpoint’s UEFI\r\nscanner is able to scan below the operating system where these attacks occur to add further detection and\r\nprotection from these kinds of low-level attacks. We also build automated mechanisms through Windows Update\r\nto block vulnerable versions of drivers and protect customers against vulnerability exploits based on ecosystem\r\nand partner engagement as this is an issue that challenges the industry at large.\r\nOur security teams continue to work closely with the OEM and driver publishers to analyze and patch any known\r\nvulnerabilities and to update affected devices prior to shipment. Once the driver publisher patches the\r\nvulnerability, an update to all affected drivers is pushed out via the Windows Update (WU) platform. Once\r\naffected devices receive the latest security patches, drivers with confirmed security vulnerabilities are blocked on\r\nWindows 10 devices using Microsoft Defender for Endpoint Attack Surface Reduction (ASR) and Microsoft\r\nWindows Defender Application Control (WDAC) technologies to protect devices against exploits. More\r\ninformation is available via our Microsoft recommended driver block rules document.\r\nIndicators of compromise\r\nIn addition to creating antimalware signatures for Microsoft Defender antivirus, sharing key detection guidance\r\nwith our AV partners, we are also sharing these hashes and IP addresses for other defenders to leverage.\r\nKnown C2 IP addresses\r\n110.42.4[.]180\r\n45.113.202[.]180\r\nKnown malicious files\r\nThese are the list of SHA256 file hashes known to Microsoft as malicious:\r\n04a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b\r\n0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d86\r\n0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5\r\n0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec\r\n115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406\r\n12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df\r\n12c0002af719c6abbc1e726b409fce099fffb90f758477f5295c152bde504caa\r\n16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b7650\r\n18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1\r\n1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43\r\n1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af\r\n1d1f7e26109e6cb28c6b369c937b407d7b0cce3c4800ce9852eda94742b12259\r\n1d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f14\r\nhttps://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/\r\nPage 2 of 4\n\n1f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb\r\n1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a\r\n22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae750\r\n22f6fe6bd62fb03f7aee489cccbc918999f49596052ac0153c02cd7a3320de13\r\n23c061933d471c1f959c77806098ec0528d9b1d0130689bb3f417dd843138468\r\n24ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b06864\r\n26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe\r\n26f2b9cf6e0fb50bad49a367bee63e808f1d53c476b38642d13c7db6e50687f4\r\n2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3\r\n314affdc86f62c8f8069ccd50a2cdf73bcd319773a031be700ba97a1ea4129a8\r\n34c890fa43ca0e5165a4960549828ba43d7f48a216a22fc46204548ebfc34f72\r\n3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3\r\n40c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c15\r\n45ee083e28fbb33afa41b1b8cd00d94c29dea8cb7cee70bae4079e6c3dfb5501\r\n4ce61ad21f186cf10dbcc253feee31262203cb5c12c5a140d2dda5447c57aba1\r\n516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13\r\n5cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f70\r\n5d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a0\r\n62d7c5465852cdb7b59a86c20b4de5991c8f4820ce11a7c01cf0dde6032e500d\r\n630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2\r\n635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e81\r\n63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0\r\n640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a782087\r\n6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0\r\n6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660\r\n6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f\r\n6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf8\r\n70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7\r\n79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617\r\n7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4\r\n8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870\r\n8e0b330a8df3076153638f5b76afc24d1083ebccc60e4d63ee0df5c11c45d58a\r\n93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc9\r\n97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c\r\n9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a\r\n9f9315790d0b0cc5213ac9a8eff0968cccc0a6c469b50d6598ce759748fe74bf\r\n9f9ebd6cd9b5b33ab2780122ee9c5feec84927f362890a062d13ef9816c7b85f\r\na0050c33c8263da02618872d642617959b3564fe173985e078bfedb89df93724\r\naa97f4f98ff842b1bfd78e920fcb1dedaec3f882dd19311bba6037430868e7a7\r\nad2dd8a68ce22d0959f341e9269e8033b34362b34bdea50b8ee2390907f1a610\r\nb2cd9cca011064d03ddd8fe3521ce0e9f9d8b16f63e4ecaf03eacfef47d22dbf\r\nb7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8\r\nhttps://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/\r\nPage 3 of 4\n\nb847e717215e0198cb4e863bd96390613f83eb92693171be50ca14255c5fb088\r\nbbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a\r\nbfb4603902c6c9ff32bc36113280ee8b5687cc3ef4c0ff9fc56f2925c7f342f0\r\nc0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99\r\nc2f23ad4e2f12c490cfd589764464e293d5d56c31b6b3f5081e2d677384cb2fe\r\nc95af9eb52111b72563875d85d593d96d7e54e19690827a052377c77cc80e06f\r\ncaa0d9bb7ed2d21a76b71dfc22ffaef80371de8af2a03b8103cbcec332897a88\r\nd0e1639e6386ef3c063bfae334fcc35cdfa85068ac1a65bb58f2463276c31ac9\r\nd1ac4d07ba6fe1dd988c471975e49e35b83d03a9b9d626fa524fd8300b80b14a\r\nd4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8\r\nd60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274\r\ne0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37\r\ne2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89\r\ne8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff\r\nedc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed\r\nee6d0d0ea24be622521ee1a4defa5d5729b99ee2217ac65701d38d05dbc0d4e6\r\nf1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71\r\nf83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca\r\nfd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73\r\nSource: https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/\r\nhttps://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/"
	],
	"report_names": [
		"investigating-and-mitigating-malicious-drivers"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53a93e67a21359c88e2be6d2db8d7e8a9525f4fa.pdf",
		"text": "https://archive.orkl.eu/53a93e67a21359c88e2be6d2db8d7e8a9525f4fa.txt",
		"img": "https://archive.orkl.eu/53a93e67a21359c88e2be6d2db8d7e8a9525f4fa.jpg"
	}
}