Hidden

Hidden is an open-source Windows kernel-mode rootkit project that has been used directly and as the basis for modified rootkit drivers in multiple campaigns. Reported capabilities include stealth functions such as hiding malware-related processes and Windows Registry keys. In Check Point Research analysis of ValleyRAT/Winos/Winos4.0, the embedded 64-bit driver was described as based on the publicly available Hidden project and substantially modified for modern Windows compatibility. Those modifications included added UMInjection, ForceDeleteFile, and SetDriverStartType_SystemStart functionality, while process-hiding code was removed due to BSOD risk. The ValleyRAT-associated driver plugin installs the driver as a kernel service named "kernelquick" under HKLM\SYSTEM\CurrentControlSet\Services\kernelquick, supports normal and stealth installation, object hiding/protection, force deletion of files, and user-mode shellcode injection via IOCTLs. The rootkit stores operator-provided shellcode in HKLM\SOFTWARE\IpDates and performs APC-based injection into dwm.exe by default or into an arbitrary PID. Check Point reported the driver was signed with expired certificates and in some cases could load on fully updated Windows 11 systems by abusing legacy driver-signing policy exceptions; several variants were reportedly not properly detected by Microsoft Defender and were absent from the Microsoft Vulnerable Driver Blocklist at the time of analysis. Separately, Hidden was reported by Netskope and others as being deployed by the China-linked Silver Fox (Void Arachne) group alongside Sainbox RAT via fake software websites advertising WPS Office, Sogou, and DeepSeek to target Chinese-speaking Windows users. In that campaign, malicious Chinese-language MSI installers used DLL sideloading through shine.exe and a rogue libcef.dll, with shellcode extracted from 1.txt and a payload whose .data section could contain a PE binary executed as a rootkit driver.