Security researchers at Sophos, Trend Micro and Cisco informed Microsoft about malware in signed drivers in February 2023. The researchers discovered that drivers “certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity”.
The researchers identified 133 different drivers, the majority certified, by multiple developer accounts and reported their findings to Microsoft. Some of the signed drivers date back to April 2021 according to Sophos.
Microsoft is blocking the malicious drivers and has closed the responsible developer accounts. The drivers have been put on the Windows Driver.STL revocation list; this list prevents them from being loaded on Windows devices. The revocation list ships with Windows and is updated regularly via Windows Update. Microsoft notes that the list is not part of Windows and that it can’t be disabled, removed or manipulated.