Malware found in over 100 signed Windows drivers

Martin Brinkmann
Jul 12, 2023
Security, Windows Updates

Yesterday's security updates for Windows and other Microsoft products came with an advisory regarding the malicious use of Microsoft signed drivers.

Security researchers at Sophos, Trend Micro and Cisco informed Microsoft about malware in signed drivers in February 2023. The researchers discovered that drivers "certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity".

The researchers identified 133 different drivers, the majority certified, by multiple developer accounts and reported their findings to Microsoft. Some of the signed drivers date back to April 2021 according to Sophos.

Microsoft is blocking the malicious drivers and has closed the responsible developer accounts. The drivers have been put on the Windows Driver.STL revocation list; this list prevents them from being loaded on Windows devices. The revocation list ships with Windows and is updated regularly via Windows Update. Microsoft notes that the list is not part of Windows and that it can't be disabled, removed or manipulated.

Windows administrators should make sure that the latest Windows updates are installed and that third-party security software is up to date as well. Administrators should run offline scans on their devices to detect malicious drivers that were installed before March 2, 2023. Sophos has published hashes of the malicious drivers on GitHub.

Other Microsoft services, including Microsoft 365, Azure or Xbox are not affected by the issue according to Microsoft's advisory.

Microsoft introduced a policy in Windows 10 version 1607 that required a valid digital signature for kernel drivers. Windows systems with Secure Boot enabled load only these drivers and refuse to load any drivers not digitally signed.

Sophos notes that several of the digital certificates appear to have their origin in China, which it bases on the company names associated with the certificates.

Sophos researchers discovered two main types of drivers. Some fell into the "Endpoint protection killer" category, which were similar to maliciously signed drivers discovered in 2022. Others had rootkit-like capabilities and were designed to run silently in the background.

These drivers could only be installed by accounts with elevated rights. The rootkit drivers had network monitoring capabilities using the Windows Filtering Platform. It allowed the malicious actor to monitor incoming and outgoing Internet traffic.

At least some of the rootkits belong to known Windows rootkit families according to Sophos' analysis and many included command-and-control server functionality, which gave the malicious actor even more control over infected devices.

All malicious drivers that Sophos reported to Microsoft have been invalidated and revoked by Microsoft as of July 11, 2023. Microsoft Defender 1.391.3822.0 and newer versions of the built-in security tool detect the malicious drivers as well.

Malware found in over 100 signed Windows drivers
Article Name
Malware found in over 100 signed Windows drivers
Microsoft has released security updates that block over 100 signed Windows drivers that were used for malicious activity.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Paul(us) said on December 27, 2010 at 2:05 am

    I first read about the updates/always check them/ test them before installing them. Then i make a total mirror image from the (operating) system, with the new installed updates. After that i start cleaning up the updates on main operating system disk.

  2. pitman said on December 27, 2010 at 8:54 am

    I let it download stuff but choose what to install, that is how I can avoid some crap it tries to install like “Live Essentials” and generally I like to have control.

  3. ilev said on December 27, 2010 at 9:07 am

    The problem with Windows Updates isn’t what you know , but the crap Microsoft is sneaking into your PC , secretly, behind your back, like Firefox add-ons,…..

  4. Bjørn said on November 8, 2015 at 2:56 pm

    “Recommended updates are otherwise (with the option disabled) displayed as available updates but installed automatically.”

    Shouldn’t this be:

    Recommended updates are otherwise (with the option disabled) displayed as available updates but NOT installed automatically.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.