Domain server

FiveSys Domain Malware uses Microsoft WHQL signature for legitimacy


Threat actors often look for ways to legitimize their cyber attacks. By that I mean they are looking for ways to make their malware genuine to deceive unwitting victims. If there can be an ounce of legitimacy in malware, it has a better chance of cheating people. This is why the new “FiveSys” malware is dangerous because it has a digital signature from Microsoft.

No, Microsoft is not embarking on parallel cyber attacks. What is really happening is that the group behind the malware managed to obtain a WHQL certification signature from Microsoft.

Bitdefender reports FiveSys is a malicious driver rootkit that has Windows Hardware Quality Labs (WHQL) certification. This is something Microsoft grants software after spending time verifying that driver packages are secure in the Windows Hardware Compatibility Program (WHCP).


It is not known how the threat actors were able to obtain certification. However, the rootkit tries to move online traffic to a target machine through a proxy (from a list of 300 potential domains).

“Redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser does not warn of the unknown identity of the proxy server ”, Bitdefender explains.


It appears that FiveSys is only spreading in China, which could mean that the group behind the malware is actively targeting users in the country.

“In addition to redirecting Internet traffic, the rootkit also blocks the loading of drivers from other malware author groups, as they are likely trying to limit the access of competing threat actors to the compromised system.

Bitdefender informed Microsoft about the rootkit and its WHQL certification, and the company has since removed the signature.

Tip of the day: Do you sometimes have trouble with Windows 10 search where it cannot find files or return results? Check out our tutorial to see how to fix Windows 10 search through different methods.