Cybercriminals are increasingly abusing Microsoft's Windows driver-signing processes to deploy stealthy kernel-level malware, exploiting legitimate certification paths like the Windows Hardware Compatibility Program (WHCP) and Extended Validation (EV) certificates. Since 2020, researchers have uncovered over 620 malicious drivers, 80+ compromised certificates, and 60+ WHCP accounts linked to threat actor operations. These campaigns leverage fraudulent business registrations to acquire legitimate EV certificates, enabling them to bypass traditional security measures and gain deep system control. A booming underground economy now exists where EV certificates are sold for $2,000 to $6,500, with vendors delivering freshly issued certificates in just a few days using fake company identities.

The technical sophistication of these attacks has escalated, with modern kernel loaders now acting as stealthy first-stage malware that can load additional unsigned drivers or other components through reflective loading. Examples include the Hugo driver used by the Blackmoon banking trojan and the POORTRY malware family, which has evolved from disabling endpoint detection tools to wiping security software entirely. Ransomware groups such as LockBit, BlackCat, and Cuba have adopted POORTRY, showcasing a more aggressive approach to system compromise and defense evasion at the kernel level.

Research indicates a notable concentration of activity from Chinese threat actors, with most compromised certificates and WHCP accounts linked to Chinese companies. Campaigns such as those leveraging the FiveSys rootkit have been particularly active in China’s gaming sector, even while retaining Microsoft-issued digital signatures. Metadata and infrastructure analysis suggest a collaborative ecosystem among different threat groups, sharing tools, infrastructure, and signing methods, pointing to a deeper and more organized malicious supply chain.

While Microsoft has responded by revoking certificates, blocking vulnerable drivers, and suspending developer accounts, the persistence and scale of these attacks highlight fundamental weaknesses in the driver-signing ecosystem. The shift toward fraudulently obtained, freshly issued EV certificates makes detection more difficult than traditional certificate theft. Security experts call for stricter validation procedures, such as physical verification for EV issuance, to curb abuse. The findings expose critical gaps in trust-based mechanisms and underscore the urgent need for more robust defenses in code-signing and kernel security.