{
	"id": "31423a4b-ab33-45be-b895-396b22d23d4c",
	"created_at": "2026-04-10T03:21:53.048123Z",
	"updated_at": "2026-04-10T13:12:59.792796Z",
	"deleted_at": null,
	"sha1_hash": "6206d3ba83914a126c627e8657b33bebeb34f78a",
	"title": "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2366673,
	"plain_text": "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to\r\nKill Antivirus\r\nBy Ryan Soliven, Hitomi Kimura ( words)\r\nPublished: 2022-08-24 · Archived: 2026-04-10 02:44:06 UTC\r\nRansomware\r\nWe investigate mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact.\r\nThe driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.\r\nBy: Ryan Soliven, Hitomi Kimura Aug 24, 2022 Read time: 7 min (1940 words)\r\nSave to Folio\r\nThere have already been reports on code-signed rootkits like Netfilteropen on a new tab, FiveSysopen on a new\r\ntab, and Fire Chiliopen on a new tab. These rootkits are usually signed with stolen certificates or are falsely\r\nvalidated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of\r\nmhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is\r\ncurrently being abused by a ransomwareopen on a new tab actor to kill antivirus processes and services for mass-deploying ransomware. Security teams and defenders should note that mhyprot2.sys can be integrated into any\r\nmalware.  \r\nWhat we found\r\nDuring the last week of July 2022, a ransomware infection was triggered in a user environment that had endpoint\r\nprotection properly configured. Analyzing the sequence, we found that a code-signed driver called\r\n“mhyprot2.sys”, which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused\r\nto bypass privileges. As a result, commands from kernel mode killed the endpoint protection processes.\r\nAs of this writing, the code signing for mhyprot2.sys is still valid. Genshin Impact does not need to be installed on\r\na victim’s device for this to work; the use of this driver is independent of the game. \r\nThis ransomware was simply the first instance of malicious activity we noted. The threat actor aimed to deploy\r\nransomware within the victim’s device and then spread the infection. Since mhyprot2.sys can be integrated into\r\nany malware, we are continuing investigations to determine the scope of the driver.\r\nOrganizations and security teams should be careful because of several factors: the ease of obtaining the\r\nmhyprot2.sys module, the versatility of the driver in terms of bypassing privileges, and the existence of well-made\r\nproofs of concept (PoCs). All these factors mean that the usage of this driver is likely higher than those of\r\npreviously discovered rootkits (such as the ones mentioned in the preceding section).\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 1 of 12\n\nMeanwhile, the timeline and attack sequence of the threat actor’s activities that we present here are noteworthy for\r\nsecurity teams. A list of the techniques used in this operation can be found in the MITRE ATT\u0026CK analysis at the\r\nend of this article.\r\nTimeline of activities\r\nFigure 1. Attack overview\r\nThe earliest evidence of compromise was a secretsdumpopen on a new tab from an unidentified endpoint of the\r\ntargeted organization to one of the domain controllers. It was followed by the execution of discovery commands\r\nusing wmiexecopen on a new tab in the context of the built-in domain administrator account. Both secretsdump —\r\nwhich dumps secrets from the remote machine without executing any agent there — and wmiexec — which\r\nexecutes commands remotely through Windows Management Instrumentation (WMI) — are tools from\r\nImpacketopen on a new tab, a free collection of Python classes for working with network protocols.\r\nFigure 2. Early evidence of compromise\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 2 of 12\n\nShortly afterward, the threat actor connected to the domain controller via RDP using another compromised\r\nadministrator account. From there, everything was executed in the context of that user account.\r\nFigure 3. The threat actor connecting to the domain controller via RDP\r\nNote: The process rdpclip.exe running under the context of the compromised administrator account was the only\r\ndestination system artifact supporting the use of RDP toward the domain controller. It facilitates clipboard\r\nsharing between RDP sessions.\r\nA malicious file, kill_svc.exe (C:\\users\\{compromised user}\\kill_svc.exe), and mhyprot2.sys (C:\\users\\\r\n{compromised user}\\mhyprot2.sys) were transferred to the desktop. This was the first time that the vulnerable\r\ndriver was seen. The file kill_svc.exe installed the mhyprot2 service and killed antivirus services.\r\nFigure 4. The suspicious kill_svc.exe file executed\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 3 of 12\n\nFigure 5. The vulnerable device installed\r\nAnother malicious file, avg.msi, was transferred to the netlogon share \\\\{domaincontroller}\\NETLOGON\\avg.msi.\r\nThis Windows installer contains avg.exe, a malicious file masquerading as AVG Internet Security, and is\r\nresponsible for dropping and executing the following: \r\nlogon.bat – A batch file that executes HelpPane.exe, kills antivirus and other services, and executes\r\nsvchost.exe.\r\nHelpPane.exe – A malicious file masquerading as Microsoft Help and Support executable; similar to\r\nkill_svc.exe, it installs mhyprot2.sys and kills antivirus services.\r\nmhyprot2.sys – A vulnerable Genshin Impact anti-cheat driver.\r\nsvchost.exe – The ransomware payload.\r\nThis also shows that the threat actor intended to mass-deploy the ransomware using the domain controller via\r\nstartup/logon script.\r\nThe Windows installer avg.msi hosted on the netlogon share was deployed to one workstation endpoint via Group\r\nPolicy Object (GPO). We suspect that this was to test whether deployment via GPO would be successful, but this\r\ncase resulted in a failure.\r\nFigure 6. The Windows installer avg.msi deployed via GPO\r\nAfterward, the threat actor logged in to the workstation from the unidentified endpoint. Both Logon Type 3\r\n(Network Logon) and Logon Type 10 (RemoteInteractive) were observed. The Windows installer avg.msi was\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 4 of 12\n\nmanually installed three times, which also resulted in a failure — no encryption. However, it was successful in\r\nkilling the antivirus services.\r\nFigure 7. Manual installation of avg.msi failing\r\nNote: The installation of avg.msi might have failed but the product was also no longer working.\r\nThe file avg.exe, extracted from avg.msi, was also transferred to the desktop and executed three times. However,\r\nin our analysis, we found that this step also did not work even though the antivirus was no longer working.\r\nApparently, using the the .msi or .exe file resulted in the applications’ being stuck.\r\nFigure 8. The malicious file avg.exe transferred to the desktop and executed three times\r\nIn an attempt to make things work, the threat actor transferred logon.bat to the desktop and executed it manually.\r\nThe file logon.bat, supposedly dropped and executed by avg.exe, was used as a standalone. \r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 5 of 12\n\nFigure 9. Section 1 of logon.bat, used for starting HelpPane.exe\r\nFigure 10. Section 2 of logon.bat, used for killing antivirus solutions and other services\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 6 of 12\n\nFigure 11. Section 3 of logon.bat, used for disabling the boot loader from loading the Windows\r\nrecovery environment, disabling the Windows recovery environment, clearing Windows event logs,\r\nkilling the mhyprot2 service and deleting it, and lastly, starting the ransomware svchost.exe.\r\nSurprisingly, executing logon.bat worked and the ransomware svchost.exe began dropping ransom notes and\r\nencrypting files. Knowing this, the threat actor hosted three files necessary for mass deployment on a shared\r\nfolder named “lol”: mhyprot2.sys, kill_svc.exe (for killing antivirus services), and svchost.exe (the ransomware).\r\nFigure 12. The share folder containing the necessary component files for mass deployment\r\nA batch file named “b.bat” (C:\\Users\\{compromised user}\\Desktop\\b.bat), responsible for copying and executing\r\nthe files mentioned above, was deployed via PsExec using the credentials of the built-in domain administrator\r\naccount. It listed target workstations in the file ip.txt.\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 7 of 12\n\nFigure 13. Partial contents of b.bat (modified multiple times by the threat actor)\r\nFigure 14. The threat actor deploying b.bat to other workstations\r\nA closer look at mhyprot2.sys \r\nThe driver mhyprot2.sys is loaded by kill_svc.exe/HelpPane.exe using the NtOpenFile function.\r\nFigure 15. The driver mhyprot2.sys loaded by kill_svc.exe/HelpPane.exe\r\nAfter loading mhyprot2.sys, kill_svc.exe/HelpPane.exe checks a list of processes to be terminated.\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 8 of 12\n\nFigure 16. A list of processes to be terminated as checked by kill_svc.exe/HelpPane.exe\r\nAfterward, it passes this information to the driver using the DeviceIoControl function. \r\nFigure 17. The DeviceIoControl function\r\nThe control code 0x81034000 is sent to the driver, instructing it to terminate the processes in the list.\r\nFigure 18. The mhyprot2.sys case function\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 9 of 12\n\nFigure 19. ZwTerminateProcess inside 0x81034000, which terminates a process and all of its\r\nthreads\r\nThe mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social\r\nmedia streams, we can see that shortly after Genshin Impact was released in September 2020, this module was\r\ndiscussed in the gaming community because it was not removed even after the game was uninstalledopen on a\r\nnew tab and because it allowed bypassing of privilegesopen on a new tab.\r\nA PoCopen on a new tab, provided by user kagurazakasanaeopen on a new tab, showed that a library terminated\r\n360 Total Security. A more comprehensive PoCopen on a new tab, provided by Kento Okiopen on a new tab, had\r\nthe following capabilities:\r\nRead/Write any kernel memory with privilege of kernel from user mode.\r\nRead/Write any user memory with privilege of kernel from user mode.\r\nEnumerate a number of modules by specific process id.\r\nGet system uptime.\r\nEnumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel\r\ndirectly from the command-line interface (CLI).\r\nTerminate a specific process by process id with ZwTerminateProcess, which calls in the vulnerable driver\r\ncontext (ring-0).\r\nThe issue was also reported by Kento Oki to miHoYo, the developer of Genshin Impact, as a vulnerability. Kento\r\nOki’s PoC led to more discussions, but the provider did not acknowledge the issue as a vulnerability and did not\r\nprovide a fix. Of course, the code-signing certificate is still valid and has not been revoked until now and the\r\ndigital signature for code signing as a device driver is still valid at this time.\r\nComplications of code signing as a device driver \r\nIt is still rare to find a module with code signing as a device driver that can be abused. The point of this case is that\r\na legitimate device driver module with valid code signing has the capability to bypass privileges from user mode\r\nto kernel mode. Even if a vendor acknowledges a privilege bypass as a vulnerability and provides a fix, the\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 10 of 12\n\nmodule cannot be erased once distributed. This file has a code signature for the driver, which allows this module\r\nto be loaded in kernel mode. If the signature was signed for a malicious module through private key theft, the\r\ncertificate can be revoked to invalidate the signature. However, in this case, it is an abuse of a legitimate module.\r\nIt seems that there is no compromise of the private key, so it is still not known if the certificate will be revoked. It\r\nremains valid, at least for now. \r\nAs mentioned above, this module is very easy to obtain and will be available to everyone until it is erased from\r\nexistence. It could remain for a long time as a useful utility for bypassing privileges. Certificate revocation and\r\nantivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a\r\nlegitimate module.\r\nHow to counter abuse: monitoring and detection\r\nThere are only a limited number of driver files with valid signatures that are expected to have behavior\r\ncomparable to the privilege bypassing we report here. We recommend that security teams and network defenders\r\nmonitor the presence of the hash values within their organizations. We have confirmed that privilege bypassing is\r\npossible in at least this file:\r\nmhyprot2.sys (0466e90bf0e83b776ca8716e01d35a8a2e5f96d3)\r\nIn addition, we recommend monitoring Windows event logs for the installation of the service corresponding to the\r\ndriver. If the installation of the service was not intended, compromise is strongly suspected:\r\nWindows Event Log (System) – 7045: A new service was installed in the system. Service name: mhyprot2.\r\nFigure 20. The properties of Windows Event Log (System) – 7045\r\nRecommendations and solutions\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 11 of 12\n\nRansomware operators are continuously looking for ways to covertly deploy their malware onto users’ devices.\r\nUsing popular games or other sources of entertainment is an effective way of baiting victims into downloading\r\ndangerous files. It is important for enterprises and organizations to monitor what software is being deployed onto\r\ntheir machines or have the proper solutions in place that can prevent an infection from happening.\r\nUsers and organizations can also benefit from security solutions that offer multilayered detection and response\r\nsuch as Trend Micro Vision One™open on a new tab, which has multilayered protection and behavior detection\r\ncapabilities that help block suspicious behavior and tools before ransomware can do any damage. Trend Micro\r\nApex One™open on a new tab also provides next-level automated threat detection and response to protect\r\nendpoints against advanced issues, like human-operated ransomware.\r\nFor more information on the indicators of compromise, download this documentopen on a new tab. \r\nWith additional insights from Nathaniel Gregory Ragasa and Eleazar Valles\r\nMITRE ATT\u0026CK tactics and techniques\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html"
	],
	"report_names": [
		"ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791313,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6206d3ba83914a126c627e8657b33bebeb34f78a.pdf",
		"text": "https://archive.orkl.eu/6206d3ba83914a126c627e8657b33bebeb34f78a.txt",
		"img": "https://archive.orkl.eu/6206d3ba83914a126c627e8657b33bebeb34f78a.jpg"
	}
}