SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netfilter (Back to overview)

NetfilterRootkit

NetfilterRootkit is a WFP application layer enforcement callout driver which is signed by Microsoft via the Windows Hardware Compatibility program. It was first discovered by Karsten Hahn. His team submitted the malware to Microsoft, which allowed Microsoft to start an investigation.

After Karsten Hahn published tweets and an article about the rootkit, Microsoft quickly responded with their own article. Their investigation revealed Chinese gamers as targets of the malware. The rootkit redirects traffic to the threat actor's IP. The threat actor can use the driver to spoof their geo-location to cheat, but it also allows account compromise of targeted players.

While this particular rootkit is not significant anymore, similar rootkits have been created since that are also signed by Microsoft via the Windows Hardware Compatibility program.

References
2025-05-19CSAAhmad Abdillah
Reversing a Microsoft-Signed Rootkit: The Netfilter Driver
NetfilterRootkit
2022-05-01BushidoTokenBushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2021-10-21BitdefenderBitdefender
Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
NetfilterRootkit
2021-08-10IntezerGiancarlo Lezama
Fast Insights for a Microsoft-Signed Netfilter Rootkit
NetfilterRootkit
2021-07-29360 Total Securitykate
“Netfilter Rootkit II ” Continues to Hold WHQL Signatures
NetfilterRootkit
2021-06-28Vice MotherboardLorenzo Franceschi-Bicchierai
Hackers Tricked Microsoft Into Certifying Malware That Could Spy on Users
NetfilterRootkit
2021-06-25GdataFlorian Roth, Johann Aydinbas, Karsten Hahn, Takahiro Haruyama
Microsoft signed a malicious Netfilter rootkit
NetfilterRootkit
2021-06-25MicrosoftMSRC Team
Investigating and Mitigating Malicious Drivers
NetfilterRootkit

There is no Yara-Signature yet.