PoisonX
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
この攻撃では、「PoisonX」と呼ばれるカーネルドライバと遠隔操作機能を持つ「10FXRAT(別名:PoisonX RAT)」が悪用されていることを確認しています。
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesLAC WATCH report published 2026-06-04 describing a spearphishing campaign against organizations in Japan and China that chains a malicious LNK downloader into the PoisonX BYOVD driver, a PXDropper component, and the 10FXRAT remote-access trojan.
攻撃はスピアフィッシングメールを起点としており、メール本文に記載されたGoogle Cloud Storageのリンクから、不正なファイルをダウンロードさせる手口が用いられていました。
Execution
5 techniquesSHELL_EXEC cmd.exe /c via ShellExecThread command: string
このデバイスインタフェースを利用する主な目的は、セキュリティ製品の無効化(0x22E010 IOCTL)と、自分自身のプロセスおよびネットワーク通信の隠蔽(0x22E008 IOCTL)です。
The malicious VERSION.dll decodes its own embedded strings with XOR 0x7a, then reads scheduler.cache, rolling-XOR-decodes it, manual-maps it into memory, and calls its entrypoint.
It registers services under the names "WinHealthSvc" and "Windows Diagnostics Service"... Writes the decrypted driver to disk as an EneTmp* named .sys. Creates and starts the service via SCM.
Persistence
3 techniquesDisables VulnerableDriverBlocklistEnable under SYSTEM\CurrentControlSet\Control\CI\Config (REG_DWORD 0).
その後、ファイル名と同じ名称でWindowsサービスとして登録し、このサービスを起動します。... 「DevCfgCC.sys」というファイル名で永続化ディレクトリへ書き出し、OSの起動時に自動的に読み込まれるよう、システムにサービスとして登録します。
Privilege Escalation
3 techniquesdescribing a spearphishing campaign against organizations in Japan and China that chains a malicious LNK downloader into the PoisonX BYOVD driver
その後、ファイル名と同じ名称でWindowsサービスとして登録し、このサービスを起動します。... 「DevCfgCC.sys」というファイル名で永続化ディレクトリへ書き出し、OSの起動時に自動的に読み込まれるよう、システムにサービスとして登録します。
Stealth
10 techniquesParses ntoskrnl.exe exports for PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, and PsSetLoadImageNotifyRoutine... writes zero over matching callback entries
マルウェア内部にハードコードされている暗号化された10FXRAT関連ファイル...を、Incremental XORを用いて復号します。
StartPayload resolves APIs dynamically, initializes direct syscall helpers, binds Winsock, and loads any cached plugins from disk.
これを受け取ったドライバは、WindowsのカーネルAPIや、正規のネットワーク監視ドライバ(¥Driver¥nsiproxy、¥Device¥Tcpなど)をフックし、指定されたPIDのプロセス情報と通信記録をシステムから除外します。これにより、OSのプロセス一覧から自身の存在を消し去り、タスクマネージャーやEDR等の各種システム監視ツールから、プロセスおよびC2サーバとの不正な通信活動を隠蔽することが可能となります。
After decryption the plugin is loaded from memory as a reflective DLL and the decrypted copy is zeroed before freeing.
the signed host side-loads the attacker DLL, which decrypts the bundled cache to stage the driver and RAT.
BYOVD: embedded driver and callback removal... Uses the driver's physical memory map IOCTL (0x80102040) to map kernel pages, writes zero over matching callback entries... The effect is that security product kernel callbacks are silently removed
System-wide and user-level mutexes (Global\SysMtx_51FB4B7B, Global\UsrMtx_EAB7CD0B) prevent multiple instances.
When dashost.exe runs, Windows loads the local VERSION.dll through standard DLL search-order hijacking.
After decryption the plugin is loaded from memory as a reflective DLL and the decrypted copy is zeroed before freeing.
Defense Impairment
1 techniqueDiscovery
7 techniquesGET_NET_CONNECTIONS GetExtendedTcpTable/UdpTable none
System-wide and user-level mutexes (Global\SysMtx_51FB4B7B, Global\UsrMtx_EAB7CD0B) prevent multiple instances.
GET_SOFTWARE_LIST Installed software (Uninstall key) none
Collection
1 techniqueScreen capture is built into core, not plugin-dependent. It uses GDI/GDI+ to capture the selected display as JPEG.
Command and Control
3 techniquesIt is the command-and-control layer with a custom protocol over raw TCP.
SOCKS tunnelling is multiplexed over the existing RAT C2 connection... It calls getaddrinfo, creates a socket with a 10 second timeout, and connects directly from the infected host.
Encrypted plugins arrive as packet type 0x21 and are parsed by ParseAndLoadPayload
Impact
1 techniqueOther
1 techniqueIOCs tracked for this family
53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Microsoftの正規署名付きカーネルドライバとして悪用され、BYOVD攻撃によりカーネル権限を取得し、セキュリティ製品のプロセス停止や対象プロセスおよびネットワーク通信の隠蔽を行う。
A Windows malware chain delivered via DLL sideloading that installs persistence, tampers with Microsoft Defender, deploys a vulnerable driver for BYOVD-based kernel callback removal, and then loads a RAT core that communicates over raw TCP using a custom 10FX protocol. The RAT supports shell execution, process and service control, screen capture, SOCKS5 tunneling, self-update, C2 reconfiguration, and reflective plugin loading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.