Security News > 2023 > July > Hackers exploit Windows policy to load malicious kernel drivers

Microsoft blocked code signing certificates predominantly used by Chinese hackers and developers to sign and load malicious kernel mode drivers on breached systems by exploiting a Windows policy loophole.
With Windows Vista, Microsoft introduced policy changes restricting how Windows kernel-mode drivers could be loaded into the operating system, requiring developers to submit their drivers for review and sign them through Microsoft's developer portal.
A new report by Cisco Talos explains that Chinese threat actors are exploiting the third policy by using two open-source tools, 'HookSignTool' and 'FuckCertVerify,' to alter the signing date of malicious drivers before July 29th, 2015.
By altering the signing date, the threat actors can use older, leaked, non-revoked certificates to sign their drivers and load them into Windows for privilege escalation.
Cisco's researchers have found more than a dozen certificates in GitHub repositories and Chinese-language forums that can be used by these tools, which are widely used for game cracks that can bypass DRM checks and malicious kernel drivers.
Malicious Windows kernel drivers used in BlackCat ransomware attacks.
News URL
Related news
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Top 3 MS Office Exploits Hackers Use in 2025 – Stay Alert! (source)
- Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)