HIDDENDRIVER

HiddenDriver is a modified Windows kernel rootkit derived from the open-source Hidden project. Elastic Security Labs and TAMUS observed it in a September 2025 intrusion cluster tracked as REF3927, attributed in reporting to a Chinese-speaking threat actor that exploited misconfigured Windows IIS/ASP.NET servers reusing publicly exposed ASP.NET machine keys to achieve ViewState deserialization-based code execution. After initial access, the actor deployed webshells, attempted account creation, used the legitimate GotoHTTP remote management tool for persistence, attempted credential dumping with Mimikatz, and attempted to deploy HiddenDriver to conceal malicious activity.

The malware consists of a kernel driver referred to as HIDDENDRIVER and a userland controller referred to as HIDDENCLI (HijackDriverManager). It is described as using Direct Kernel Object Manipulation (DKOM) to hide processes. It reads configuration from its Windows service registry key populated by the userland component. Reported capabilities include registering kernel callbacks such as ObRegisterCallbacks and PsSetCreateProcessNotifyRoutineEx to protect or hide processes and downgrade handle access to protected processes; registering file system minifilter callbacks including IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL to hide files and directories; registering a registry callback via CmRegisterCallbackEx to hide registry keys and values by returning STATUS_NOT_FOUND; and exposing IOCTL commands to enable or disable functionality and add or remove hidden objects and process rules.

The intrusion cluster in which HiddenDriver was observed also involved attempted deployment of the TOLLBOOTH IIS backdoor for SEO cloaking and webshell access. Detection content published in October 2025 also references YARA coverage for HiddenDriver as a Windows malware family. No standalone IOCs specific to HiddenDriver beyond its naming, derivation from Hidden, and associated component name HIDDENCLI are provided in the source content.