Hackers Use 2,500 Tools to Disable Weaponized Security

A large-scale campaign is weaponizing a trusted Windows security driver, transforming it into a tool that shuts down existing protection measures before deploying ransomware and remote access malware.

The attacks abuse truesight.sys, a kernel driver from Adlice Software’s RogueKiller antivirus, and use more than 2,500 validly signed variants to quietly disable endpoint detection and response (EDR) and antivirus solutions across Windows systems.

The threat first gained wider attention when Check Point researchers exposed how attackers were abusing legacy driver signing rules to load pre-2015 signed drivers on modern Windows 11 machines.

By doing so, they could run the vulnerable TrueSight driver with full kernel privileges, even though Microsoft’s own security controls were meant to block risky drivers. The result is a reliable way to kill security tools before any payload is delivered.

Soon after this activity surfaced, MagicSword analysts noted that the driver abuse had already spread across multiple threat groups and regions, with fresh driver variants appearing week after week.

Their telemetry showed that financially motivated actors and advanced persistent threat (APT) groups were all adopting the same method to clear the way for ransomware and remote access trojans on compromised hosts.

At the center of this operation is the capability to terminate almost any security process on the system.

The vulnerable TrueSight 2.0.2 driver exposes an IOCTL command that accepts attacker-controlled input and can forcibly kill chosen processes, including protected EDR agents and antivirus engines.

Once the driver is loaded, the malware no longer has to fight user-mode tamper protections, because it operates directly in the Windows kernel with the same privileges as legitimate security software.

The impact is significant for defenders. With EDR agents shut down at the kernel level, telemetry stops, alerts never fire, and ransomware or remote access trojans can execute with almost no resistance.

Victims often only notice the attack when files are already encrypted or data has been quietly exfiltrated.

The scale of the driver variants and the high evasion rate against traditional antivirus make this technique especially dangerous for enterprises that rely on hash-based or signature-only defenses.

Infection Chain: From Phishing to Full Control

The infection chain behind these attacks follows a staged approach that uses common delivery methods but couples them with advanced driver abuse.

Initial access often starts with phishing emails, fake download sites, or compromised Telegram channels that lure users into running a disguised installer.

This first-stage executable acts as a downloader and fetches additional components from attacker-controlled servers, typically hosted on cloud infrastructure.

In the second stage, the malware sets up persistence through scheduled tasks and DLL side-loading, ensuring it survives reboots and blends in with normal system activity.

It then deploys an EDR killer module that is heavily obfuscated with VMProtect to hinder reverse engineering.

MagicSword researchers identified that this module targets nearly 200 different security products, ranging from CrowdStrike and SentinelOne to Kaspersky, Symantec, and many others, making the campaign effective across diverse enterprise environments.

When ready, the module downloads the TrueSight driver if it is not already present, installs it as a Windows service (commonly named TCLService), and sends the crafted IOCTL request to terminate running security processes.

With defenses gone, the final payload—often a HiddenGh0st remote access trojan or a ransomware family—runs with almost no visibility.

From the initial phishing click to full system control, this sequence can complete in as little as 30 minutes, leaving a very small window for detection and response.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.