TrueSightKiller
TrueSightKiller is an EDR/AV-killer tool used for defense evasion via a Bring Your Own Vulnerable Driver (BYOVD) technique. It is described as leveraging a vulnerable driver named truesight.sys, and in one reported Silver Fox intrusion chain the BYOVD stage loaded the TrueSightKiller driver as 189atohci.sys and used DeviceIoControl with IOCTL 0x22e044 to terminate antivirus processes. The malware/tool has been identified in incident reporting as TRUESIGHTKILLER.EXE and classified as W32.Riskware.Killav. Reporting cited in the content describes TrueSightKiller as a popular BYOVD tool frequently used by attackers to disable endpoint security products before follow-on activity. It has been associated with DragonForce intrusion activity in an August 2024 UK incident involving RDP-based initial access, and with Silver Fox (also known as Void Arachne / The Great Thief of Valley) campaigns targeting healthcare and public sector organizations, including attacks using trojanized medical imaging software such as Philips DICOM viewers. In those Silver Fox campaigns, TrueSightKiller was used after initial payload retrieval and reconnaissance to neutralize security tools before deployment of ValleyRAT/Winos 4.0 and additional payloads such as keyloggers and cryptocurrency miners. Broader reporting in the content also places TrueSightKiller among commonly used BYOVD tools alongside GhostDriver, AuKill, Poortry, Gmer, and Warp AVKiller.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The second stage focuses on disabling endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack, loading the TrueSightKiller driver (189atohci.sys) to terminate antivirus processes using DeviceIoControl with IOCTL 0x22e044.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BYOVD-associated defense-evasion tool referenced as commonly used by ransomware groups to disable security products prior to encryption.
A BYOVD tool that abuses the vulnerable truesight.sys driver.
Toolset abusing a Windows driver-signing loophole (pre-2015 signed drivers) to terminate/disable security products; large variant volume and high AV evasion reported; used by multiple actors including ransomware groups and APTs.
A malicious driver used to terminate antivirus processes and facilitate further malware execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.