MalwareMay 28, 2026
We identified a WHQL-signed kernel driver keylogger, likely deployed as an anti-cheat BYOVD SHA2...
WHQL-signed kernel driver keylogger discovered, likely deployed via BYOVD anti-cheat abuse.
Summary
Security researchers identified a Windows Hardware Quality Labs (WHQL)-signed kernel driver that functions as a keylogger, apparently leveraged through a Bring Your Own Vulnerable Driver (BYOVD) technique for anti-cheat purposes. The malware, signed by Xryus Technologies, employs stealth techniques including API hashing and XOR string obfuscation. This represents a sophisticated privilege escalation attack exploiting legitimate driver signing mechanisms.
Indicators of Compromise
- hash_sha256 — bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b
- malware — WHQL-signed kernel keylogger
Entities
Xryus Technologies (vendor)BYOVD (Bring Your Own Vulnerable Driver) (technology)WHQL (Windows Hardware Quality Labs) (technology)