{ "id": "19510e13-5eb7-4d2d-b4ac-5654d026ecf2", "created_at": "2026-04-06T00:11:11.935848Z", "updated_at": "2026-04-10T03:30:33.617211Z", "deleted_at": null, "sha1_hash": "6e61cb77841d247eef49e911b09540c03dd0fde7", "title": "Hackers Tricked Microsoft Into Certifying Malware That Could Spy on Users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52092, "plain_text": "Hackers Tricked Microsoft Into Certifying Malware That Could\r\nSpy on Users\r\nBy Lorenzo Franceschi-Bicchierai\r\nPublished: 2021-06-28 · Archived: 2026-04-05 23:18:49 UTC\r\nHackers were able to trick Microsoft into certifying a malicious driver that, if installed, would be able to decrypt\r\ninternet traffic on an infected computer and send it to a third party.\r\nOn June 17, a security researcher found that Microsoft had signed a rootkit, a dangerous type of malware that has\r\nthe ability to be persistent and capture practically all data on an infected computer. Whoever is behind this attack\r\nwas able to make their malware look like a legitimate driver approved by Microsoft, giving them the ability to\r\nbypass most computers’ protections.\r\nOn Friday, Microsoft published a blog post revealing that the hackers behind the malware were “distributing\r\nmalicious drivers within gaming environments.”\r\n“The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise\r\nenvironments,” Microsoft wrote. “The actor’s goal is to use the driver to spoof their geo-location to cheat the\r\nsystem and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit\r\nother players by compromising their accounts through common tools like keyloggers.”\r\nMicrosoft published a more in-depth analysis of the hack in a report that is only for customers and not available to\r\nthe public. A Microsoft spokesperson declined to provide more details about the incident.\r\nDo you have more information about this malware? We’d love to hear from you. Using a non-work phone\r\nor computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382,\r\nlorenzofb on Wickr and Wire, or email lorenzofb@vice.com\r\nKarsten Hahn, the security researcher who first found the malware and works for antivirus firm G Data, wrote in a\r\nblog post published last week that he and his colleagues were able to find older samples of the malware, dating\r\nback to March 2021.\r\n“What really unsettles me is that this malware was undetected for many months,” Hahn told Motherboard. “The\r\nworst is the demonstration that this incident shows you can still create kernel mode rootkits for Windows 10 by\r\nslipping through the [Microsoft] driver signing process. And that may in turn lead to more threat actors trying\r\nthis.”\r\nIn a blog post published last week, Hahn wrote that he and his colleagues were able to find older samples of the\r\nmalware, dating back to March 2021. Hahn said he called the malware Netfilter because that word appears\r\nrepeatedly in the code. Netfilter is also a Linux open source framework to filter network traffic. Microsoft called\r\nthe malware Retliften, the reverse of Netfilter.\r\nhttps://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users\r\nPage 1 of 2\n\nKevin Beaumont, a security researcher and former Microsoft employee, said that the hack “impacts thousands of\r\nChinese made games,” according to the paywalled report. The malware was designed to install certificates on the\r\nvictims’ computers in order to decrypt their internet traffic, Beaumont wrote on Twitter. Johann Aydinbas, another\r\nsecurity researcher who has analyzed the malware, also found that “the core functionality seems to be\r\neavesdropping on SSL connections,” meaning encrypted internet traffic.\r\nModern Windows PCs are designed to only run signed drivers, meaning Microsoft reviewed them and certified\r\nthey are safe In this case, the hackers tried to hide their malware in a Netfilter driver that has the ability to\r\nintercept internet traffic, according to Sherrod DeGrippo, the senior director of threat research and detection at\r\ncybersecurity firm Proofpoint.\r\n“Given these drivers have the ability to operate on packet-level network communications, intercepting existing\r\ntraffic is trivial, allowing the author of the malicious code the ability to do whatever they want with said traffic,”\r\nDeGrippo told Motherboard in an email.\r\nMicrosoft wrote in the blog post that hackers would only be able to use the malware after getting access to a\r\nvictim’s computer, meaning the signed rootkit was designed to be part of a second or further step in an\r\nhypothetical attack, which needed the hackers to “either have already gained administrative privileges in order to\r\nbe able to run the installer to update the registry and install the malicious driver the next time the system boots or\r\nconvince the user to do it on their behalf.”\r\nMicrosoft didn’t say who exactly was targeted or actually hacked, nor who is behind the attack, only that the\r\nhackers were not “a nation-state actor.”\r\n“The malware itself is not wide-spread,” Hahn said, arguing that if it was, G Data would have “seen telemetry,”\r\nthe industry lingo for data on actual attacks.\r\nMicrosoft also did not share many details about how exactly the hackers tricked the company into certifying their\r\nmalware, saying only that they “submitted drivers for certification through the Windows Hardware Compatibility\r\nProgram.”\r\n“The drivers were built by a third party,” Microsoft added. “We have suspended the account and reviewed their\r\nsubmissions for additional signs of malware.”\r\nUsers who have Windows Defender are now protected against this malware, and so should be people who use\r\nother antivirus software, according to Microsoft.\r\nSubscribe to our cybersecurity podcast, CYBER.\r\nSource: https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users\r\nhttps://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users" ], "report_names": [ "hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434271, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e61cb77841d247eef49e911b09540c03dd0fde7.pdf", "text": "https://archive.orkl.eu/6e61cb77841d247eef49e911b09540c03dd0fde7.txt", "img": "https://archive.orkl.eu/6e61cb77841d247eef49e911b09540c03dd0fde7.jpg" } }