We have found 2 WHQL-signed kernel drivers exposing arbitrary code execution via IOCTL on \Device...

Summary

Security researchers discovered two legitimately WHQL-signed Windows kernel drivers that expose arbitrary code execution vulnerabilities through crafted IOCTL calls, allowing Ring 3 (userland) processes to execute Ring 0 (kernel-mode) code. Both samples show zero VirusTotal detections and were submitted from China, suggesting potential use in targeted attacks or supply chain compromise. The exploitation of signed drivers bypasses typical security controls and represents a significant privilege escalation vector.

Indicators of Compromise

• malware — Guru8906 kernel driver

Entities