SentinelOne, Kaspersky and Adlice Software: Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

Cybercriminals Weaponize Legitimate Windows Driver to Disable Security Tools in Large-Scale Attacks

A sophisticated cyberattack campaign is exploiting a trusted Windows kernel driver truesight.sys, part of Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions before deploying ransomware or remote access malware.

The attack leverages over 2,500 validly signed variants of the vulnerable driver, bypassing Microsoft’s security controls by abusing legacy driver signing rules. Originally exposed by Check Point researchers, the technique allows threat actors to load pre-2015 signed drivers on modern Windows 11 systems, granting them kernel-level privileges to terminate security processes undetected.

MagicSword analysts later confirmed the method’s rapid adoption by multiple threat groups, including financially motivated actors and advanced persistent threat (APT) groups. The driver’s IOCTL command enables attackers to forcibly kill nearly 200 security products, from CrowdStrike and SentinelOne to Kaspersky and Symantec, leaving systems exposed to ransomware like HiddenGh0st or other payloads.

The infection chain typically begins with phishing emails, fake download sites, or compromised Telegram channels, tricking users into running a disguised installer. The malware then establishes persistence via scheduled tasks and DLL side-loading, deploys an obfuscated EDR killer module, and installs the TrueSight driver as a Windows service (often named TCLService). With security tools neutralized at the kernel level, the final payload executes with minimal resistance sometimes within 30 minutes of initial compromise.

The attack’s high evasion rate and reliance on signature-based defenses make it particularly dangerous for enterprises, as victims often only detect the breach after encryption or data exfiltration has occurred. The campaign’s scale and effectiveness highlight the growing threat of legitimate driver abuse in modern cyberattacks.

Source: https://cybersecuritynews.com/hackers-weaponized-2500-security-tools/

SentinelOne cybersecurity rating report: https://www.rankiteo.com/company/sentinelone

Kaspersky cybersecurity rating report: https://www.rankiteo.com/company/kaspersky

Adlice Software cybersecurity rating report: https://www.rankiteo.com/company/adlice-software

"id": "SENKASADL1769023372",
"linkid": "sentinelone, kaspersky, adlice-software",
"type": "Cyber Attack",
"date": "6/2015",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'type': 'enterprises'}],
 'attack_vector': ['phishing emails',
                   'fake download sites',
                   'compromised Telegram channels'],
 'data_breach': {'data_encryption': 'Ransomware encryption (e.g., HiddenGh0st)',
                 'data_exfiltration': 'Possible data exfiltration'},
 'description': 'A sophisticated cyberattack campaign is exploiting a trusted '
                'Windows kernel driver *truesight.sys*, part of Adlice '
                'Software’s RogueKiller antivirus, to disable endpoint '
                'detection and response (EDR) and antivirus solutions before '
                'deploying ransomware or remote access malware. The attack '
                'leverages over 2,500 validly signed variants of the '
                'vulnerable driver, bypassing Microsoft’s security controls by '
                'abusing legacy driver signing rules. The technique allows '
                'threat actors to load pre-2015 signed drivers on modern '
                'Windows 11 systems, granting them kernel-level privileges to '
                'terminate security processes undetected.',
 'impact': {'operational_impact': 'Disabling of EDR and antivirus solutions, '
                                  'leaving systems exposed to ransomware or '
                                  'malware',
            'systems_affected': 'Windows systems (including Windows 11)'},
 'initial_access_broker': {'backdoors_established': 'Scheduled tasks and DLL '
                                                    'side-loading',
                           'entry_point': ['phishing emails',
                                           'fake download sites',
                                           'compromised Telegram channels']},
 'motivation': ['financial gain', 'data exfiltration'],
 'post_incident_analysis': {'root_causes': 'Abuse of legacy driver signing '
                                           'rules and kernel-level privileges '
                                           'to disable security tools'},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Possible',
                'ransomware_strain': 'HiddenGh0st'},
 'references': [{'source': 'Check Point researchers'},
                {'source': 'MagicSword analysts'}],
 'threat_actor': ['financially motivated actors',
                  'advanced persistent threat (APT) groups'],
 'title': 'Cybercriminals Weaponize Legitimate Windows Driver to Disable '
          'Security Tools in Large-Scale Attacks',
 'type': ['ransomware', 'malware'],
 'vulnerability_exploited': 'Legitimate Windows driver *truesight.sys* (Adlice '
                            'Software’s RogueKiller) with IOCTL command abuse'}

SentinelOne, Kaspersky and Adlice Software: Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

Have I Been Pwned: 113,000 explicit prompts from AI girlfriend platform exposed, many linked to user IDs

Palo Alto Networks: Palo Alto Cortex Microsoft Teams Integration Vulnerability Enables Data Access for Attackers

Banco de Bogota and Grupo Bancolombia: Hackers claim data breach at Colombian banks, exposure unverified