Exploiting Trust: How Signed Drivers Fuel Modern Kernel Level Attacks on Windows

This Group-IB report analyzes the growing use of Windows kernel loaders and abused digitally signed drivers—signed via stolen or fraudulently obtained EV certificates and WHCP accounts—used to evade EDR/antivirus, maintain persistence, and load secondary malicious drivers. The research covers >600 signed malicious drivers (2020–Q1 2025), highlights notable families (FiveSys, Netfilter, CopperStealer, POORTRY, Blackmoon/Hugo), documents overlapping signing infrastructure and underground EV/WHCP providers, and recommends stricter CA/WHCP verification and cross-industry collaboration to mitigate this sophisticated threat.