{
	"id": "847fd081-088d-4596-bc49-c280cf02a2ad",
	"created_at": "2026-04-06T01:30:04.485415Z",
	"updated_at": "2026-04-10T13:13:00.44976Z",
	"deleted_at": null,
	"sha1_hash": "5471f69982361d27e5d79eff2cad02e3941969cc",
	"title": "netfilter-rootkit-ii-continues-to-hold-whql-signatures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 422925,
	"plain_text": "netfilter-rootkit-ii-continues-to-hold-whql-signatures\r\nPublished: 2021-07-29 · Archived: 2026-04-06 01:27:41 UTC\r\nLearn more about 360 Total Security\r\n1.Backgroud\r\nRecently, 360 Security Center discovered that a malicious driver “Netfilter rootkit” with WHQL signature was\r\nrevealed in mid-June. WHQL signature means that after the hardware driver passed the Microsoft certification,\r\nMicrosoft will add a “Hardware Compatibility Publisher” digital signature to the driver. The Netfilter rootkit has\r\nnow been updated to the second generation and continues to hold the Microsoft signature. Moreover, the\r\nconcealment of the upgraded Netfilter rootkit has increased so much that there is still no antivirus report on\r\nVirustotal.\r\nIn view of the fact that the second generation of Netfilter rootkit differs from the previous version in function and\r\nname, 360 Security Center named it “NetRedirect rootkit”. Although the NetRedirect rootkit has strong\r\nconcealment and hazards, 360 Total Security can still achieve targeted defense and thorough investigation and\r\nkilling, and fundamentally solve the user’s security problems.\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 1 of 8\n\nIn fact, as early as June 25, the Microsoft Security Response Center stated that it had suspended the Netfilter\r\nrootkit account and reviewed other documents issued by it. “According to our zero-trust and layered defense\r\nsecurity posture, we passed Microsoft Defender for Endpoint Built-in detection and blocking of this driver and\r\nrelated files.” However, its second-generation product, the NetRedirect rootkit, which is highly homologous and\r\nsimilar in behavior, still has a Microsoft signature, making it more concealed and difficult to detect and kill.\r\nIn addition, the harmfulness of NetRedirect rootkit has also been significantly improved. In view of the way that\r\nNetRedirect rootkit cloud controls the distribution of rootkits, the current malicious vendor is fully capable of not\r\nonly being limited to the IP hijacking function, but also being able to implement any malicious rootkit execution\r\non the infected devices.\r\n2. The hidden behavior of cloud-controlled malicious files and memory loading\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 2 of 8\n\nDifferent from the previous generation of “Netfilter rootkit” verifying its own file md5 to implement file self-update, “NetRedirect rootkit” adopts the form of disguising the driver and the malicious driver, and the real\r\nmalicious driver is stored on the Trojan C \u0026 C server in a cloud-controlled manner, And the local masquerading as\r\nthe driver of the WFP network filtering function is responsible for requesting malicious file data from the server,\r\nand calling the rootkit entry address in a concealed manner of memory loading.\r\nThe source of the “NetRedirect rootkit” is certain private server games. After the private server game runs, it will\r\nsilently write to the driver registry service, release the NetRedirect.sys file to the\r\n%UserProfile%\\AppData\\Roaming directory, and load NetRedirect.sys .\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 3 of 8\n\nSubsequently, NetRedirect.sys, which has Microsoft’s signature, will request the real malicious driver from the\r\nserver in the form of a socket:\r\nAfter obtaining the rootkit file data, the memory is self-loaded and the driver entry address is called:\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 4 of 8\n\nThe Netfilter rootkit loaded in the memory is responsible for IP hijacking. It will repeatedly tamper with the\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL key value item, and\r\nfinally achieve the purpose of IP hijacking:\r\nThe partial hijacking list is as follows:\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 5 of 8\n\nIt is monitored that the “NetRedirect rootkit” does not belong to any module’s memory thread, and tampering with\r\nthe registry AutoConfigURL key value:\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 6 of 8\n\nHowever, users do not need to worry. Under the protection of 360 Total Security’s accuracy, real-time and\r\nintelligence, such rootkits cannot bypass 360 Total Security’s behavior-based detection. The new generation of\r\ndefense technology empowered by 360 Security Center can prevent problems before they happen. , It can also\r\ncarry out thorough investigation and killing of infected devices.\r\nSecurity Advice：\r\n1. Go to https://www.360totalsecurity.com/ to download and install 360 Total Security for protection.\r\n2. For unfamiliar software blocked by 360 Total Security, do not continue to run and add trust.\r\n3. If you have accidentally infected the Trojan, you can go to https://www.360totalsecurity.com/ to download\r\nand install 360 Total Security, and use 360 Total Security’s scan and killing service.\r\nFiles Md5:\r\n36b43aa3621e0c4f86a4a61a2ea1f2c4\r\n09ef4b13abda36da6cd3982ae66a59c0\r\n155250268a6080aeeb9a337f76e35599\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 7 of 8\n\n7b6ebe1f32b204d0e1e4ac92b3ad6baa\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nhttps://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/"
	],
	"report_names": [
		"netfilter-rootkit-ii-continues-to-hold-whql-signatures"
	],
	"threat_actors": [],
	"ts_created_at": 1775439004,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5471f69982361d27e5d79eff2cad02e3941969cc.pdf",
		"text": "https://archive.orkl.eu/5471f69982361d27e5d79eff2cad02e3941969cc.txt",
		"img": "https://archive.orkl.eu/5471f69982361d27e5d79eff2cad02e3941969cc.jpg"
	}
}