Cybercriminals Weaponize Legitimate Windows Driver to Disable Security Tools in Large-Scale Attacks A sophisticated cyberattack campaign is exploiting a trusted Windows kernel driver truesight.sys, part of Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions before deploying ransomware or remote access malware. The attack leverages over 2,500 validly signed variants of the vulnerable driver, bypassing Microsoft’s security controls by abusing legacy driver signing rules. Originally exposed by Check Point researchers, the technique allows threat actors to load pre-2015 signed drivers on modern Windows 11 systems, granting them kernel-level privileges to terminate security processes undetected. MagicSword analysts later confirmed the method’s rapid adoption by multiple threat groups, including financially motivated actors and advanced persistent threat (APT) groups. The driver’s IOCTL command enables attackers to forcibly kill nearly 200 security products, from CrowdStrike and SentinelOne to Kaspersky and Symantec, leaving systems exposed to ransomware like HiddenGh0st or other payloads. The infection chain typically begins with phishing emails, fake download sites, or compromised Telegram channels, tricking users into running a disguised installer. The malware then establishes persistence via scheduled tasks and DLL side-loading, deploys an obfuscated EDR killer module, and installs the TrueSight driver as a Windows service (often named TCLService). With security tools neutralized at the kernel level, the final payload executes with minimal resistance sometimes within 30 minutes of initial compromise. The attack’s high evasion rate and reliance on signature-based defenses make it particularly dangerous for enterprises, as victims often only detect the breach after encryption or data exfiltration has occurred. The campaign’s scale and effectiveness highlight the growing threat of legitimate driver abuse in modern cyberattacks.