TrueSightKiller - SparTech Software

TrueSightKiller is a C++-based tool designed to disable or terminate antivirus (AV) and endpoint detection and response (EDR) solutions on Windows systems, specifically those running Windows 23H2—even when advanced security features like Hypervisor-protected Code Integrity (HVCI), Windows Defender Application Control (WDAC), and Microsoft’s loldrivers blocklist are enabled.

How Does TrueSightKiller Work?

TrueSightKiller operates by leveraging a vulnerable Windows driver named truesight.sys (originally part of Adlice’s RogueKiller Antirootkit suite). The tool requires the truesight.sys driver to be present in the same directory as its executable. When launched, it presents a menu to specify a target process (by ID or name), then enters an infinite loop to monitor and interact with that process—typically to terminate it.

The main vulnerability exploited is arbitrary process termination: by issuing a specific IOCTL command (0x22E044) to the driver, TrueSightKiller can kill any process, including those protected by Windows security mechanisms (e.g., protected processes for AV/EDR software).

The tool can be stopped and its installed service deleted by sending a ctrl+c command.

Security Impact and Exploitation

TrueSightKiller is part of a broader class of attacks known as Bring Your Own Vulnerable Driver (BYOVD), where attackers install a legitimate but vulnerable driver to gain privileged access and disable security software. The truesight.sys driver, especially versions below 3.4.0 (notably 2.0.2), contains a flaw that allows attackers to terminate arbitrary processes, which has been widely exploited in the wild.

Attackers have generated thousands of unique variants of the driver (by modifying non-functional parts of the file while keeping its digital signature valid) to evade hash-based detection and blocklists.

TrueSightKiller and similar tools have been used in campaigns to facilitate the deployment of malware like Gh0st RAT and ransomware, often as part of multi-stage attacks that begin with phishing or malicious downloads.

Silver Fox is ramping up attacks against Taiwan using malware variants linked to the Gh0st RAT family.
Silver Fox APT (also known as Void Arachne) has intensified cyberattacks against Taiwan using sophisticated malware variants linked to the Gh0st RAT family, including Winos 4.0 and ValleyRAT. While “Gh0stCringe” and “HoldingHands RAT” are not explicitly named in recent reports, the group’s tactics align with evolving Gh0st RAT derivatives.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

How Does TrueSightKiller Work?

Security Impact and Exploitation

Related