{
	"id": "897ce1fc-2fb0-41eb-846c-affd2830f71d",
	"created_at": "2026-04-06T00:16:05.737533Z",
	"updated_at": "2026-04-10T03:22:07.748904Z",
	"deleted_at": null,
	"sha1_hash": "9f33467f4c5ee78f4cac01f26fc3f9ba2bac6cd4",
	"title": "Microsoft signed a malicious Netfilter rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256283,
	"plain_text": "Microsoft signed a malicious Netfilter rootkit\r\nBy Karsten Hahn\r\nPublished: 2021-06-26 · Archived: 2026-04-05 17:52:44 UTC\r\n06/25/2021\r\nReading time: 3 min (805 words)\r\nWhat started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer\r\nenforcement callout driver that redirects traffic to a Chinese IP. How did this happen?\r\nLast week our alert system notified us of a possible false positive because we detected a driver[1] named\r\n\"Netfilter\" that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be\r\ntested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft\r\ncertificate cannot be installed by default.\r\nIn this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added\r\nmalware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing\r\nit is still unknown how the driver could pass the signing process.\r\nhttps://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nPage 1 of 6\n\nString decoding\r\nThe first thing I noted after opening the strings view are some strings that looked encoded or encrypted. While this\r\nis not necessarily a sign of a malicious file, it is odd that a driver obfuscates a part of their strings.\r\nI decoded the strings using the following Python snippet.\r\nSimilar samples\r\nSearching for this URL as well as the PDB path and the similar samples feature on Virustotal we found older\r\nsamples as well as the dropper[2] of the netfilter driver. The oldest sample[3] signatures date back to March 2021.\r\nVirustotal queries to find similar samples via URL and PDB path are listed below.\r\nhttps://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nPage 2 of 6\n\ncontent:{5c68656c6c6f5c52656c656173655c6e657466696c7465726472762e706462}\r\ncontent:{687474703a2f2f3131302e34322e342e3138303a323038302f75}\r\nAdditionally the following Yara rule will find samples via retrohunting.\r\nrule NetfilterRootkit : Rootkit x64\r\n{\r\nmeta:\r\nauthor = \"Karsten Hahn @ GDATA CyberDefense\"\r\ndescription = \"Netfilter kernel-mode rootkit\"\r\nsha256 = \"115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406\"\r\nsha256 = \"63D61549030FCF46FF1DC138122580B4364F0FE99E6B068BC6A3D6903656AFF0\"\r\nstrings:\r\n$s_1 = \"\\\\??\\\\netfilter\\x00\" wide\r\n$s_2 = \"IPv4 filter for redirect\\x00\" wide\r\n$s_3 = \"\\\\Registry\\\\Machine\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\ROOT\\\\Certificates\\\\\\x00\r\n$s_4 = \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/\r\n$url = \"http://110.42.4.180:2080/u\\x00\"\r\n$pdb_1 = \"C:\\\\Users\\\\omen\\\\source\\\\repos\\\\netfilterdrv\\\\x64\\\\Release\\\\netfilterdrv.pdb\\x00\"\r\n//RSDS [20] G:\\\u003csymbol\u003e\\hello\\x64\\Release\\netfilterdrv.pdb\r\n$pdb_2 = {52 53 44 53 [20] 47 3A 5C E6 BA 90 E7 A0 81 5C 68 65 6C 6C 6F 5C 78 36 34 5C 52 65 6\r\ncondition:\r\nany of ($pdb_*, $url) or\r\nall of ($s_*)\r\n}\r\nDropper and installation\r\nThe dropper places the driver into %APPDATA%\\netfilter.sys. Then it creates the file %TEMP%\\c.xalm with\r\nthe following contents and issues the command regini.exe x.calm to register the driver.\r\nContents of %TEMP%\\x.calm\r\nCommand and control server\r\nhttps://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nPage 3 of 6\n\nThe URL hxxp://110.42.4.180:2081/u in the decoded string listing is the server of the rootkit. The Netfilter\r\ndriver[1] connects to it for fetching configuration information.\r\nAfter connecting to the hardcoded URL hxxp://110.42.4.180:2081/u the server replies with the following string.\r\nEach URL has a specific purpose.\r\nURL Purpose\r\nhxxp://110.42.4.180:2081/p Proxy settings\r\nhxxp://110.42.4.180:2081/s Redirection IPs\r\nhxxp://110.42.4.180:2081/h? Ping with CPU-ID\r\nhxxp://110.42.4.180:2081/c Root certificate\r\nhxxp://110.42.4.180:2081/v? Self update\r\nIP redirection\r\nThe core functionality of the malware is its IP redirection. A list of targeted IP addresses are redirected to\r\n45(.)248.10.244:3000. These IP addresses as well as the redirection target are fetched from\r\nhxxp://110.42.4.180:2081/s.\r\nResearcher @jaydinbas reversed the redirection configuration in this tweet and provided the latest decoded\r\nconfiguration in a pastebin. The general format as observed by @cci_forensics and @jaydinbas is\r\n[\u003credirection_target\u003e-\u003cport_number\u003e]{\u003cip_to_redirect1\u003e|\u003cip_to_redirect2\u003e|...}\r\nEncoded redirection configuration\r\nUpdate mechanism\r\nThe sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?\r\nv=6\u0026m=\u003cmd5\u003e. A request might look like this: hxxp://110.42.4.180:2081/v?\r\nv=6\u0026m=921fa8a5442e9bf3fe727e770cded4ab. The server then responds with the URL for the latest sample,\r\ne.g., hxxp://110.42.4.180:2081/d6 or with OK if the sample is up-to-date. The malware replaces its own file\r\naccordingly.\r\nhttps://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nPage 4 of 6\n\nCode that checks if the driver is up-to-date and replaces it with a newest version.\r\nRoot certificate\r\nThe rootkit receives a root certificate via hxxp://110.42.4.180:2081/c and writes it to\r\n\\Registry\\Machine\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\. The data that is returned\r\nfrom the server has the format [\u003ccertificate name\u003e]:{\u003ccertificate data blob\u003e}\r\nRoot certificate data as it is sent by the server\r\nProxy\r\nAt hxxp://110.42.4.180:2081/p the malware requests the proxy which it sets as AutoConfigURL in the registry\r\nkey \\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings. The returned value at the time of writing\r\nis hxxp://ptaohuawu.bagua.com.hgdjkgh.com:2508/baidu.txt\r\nSample hashes\r\nDescription SHA256\r\n[1] Netfilter driver 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0\r\n[2] Netfilter dropper d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe\r\nhttps://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nPage 5 of 6\n\nDescription SHA256\r\n[3] Netfilter driver, older\r\nversion signed in March\r\n115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406\r\nMore hashes related to the Netfilter rootkit are in this spreadsheet created by Florian Roth.\r\nShare Article\r\n Content\r\nString decoding\r\nSimilar samples\r\nDropper and installation\r\nCommand and control server\r\nIP redirection\r\nUpdate mechanism\r\nRoot certificate\r\nProxy\r\nSample hashes\r\nContributions\r\nSource: https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nhttps://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit"
	],
	"report_names": [
		"microsoft-signed-a-malicious-netfilter-rootkit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434565,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f33467f4c5ee78f4cac01f26fc3f9ba2bac6cd4.pdf",
		"text": "https://archive.orkl.eu/9f33467f4c5ee78f4cac01f26fc3f9ba2bac6cd4.txt",
		"img": "https://archive.orkl.eu/9f33467f4c5ee78f4cac01f26fc3f9ba2bac6cd4.jpg"
	}
}