POORTRY Still Active in 2025: The Microsoft Signing Crisis That Won't Go Away
Three years after its discovery, POORTRY is still actively disabling endpoint security using legitimate Microsoft signatures. This post explains how attackers bypass EDR in minutes, why traditional defenses fail, and what CISOs need to do to mitigate this systemic risk.
The Wake-Up Call
Three years after security researchers first exposed the POORTRY malware campaign, we asked a simple question: Is this still happening?
The answer should concern every CISO: YES - and it's worse than we thought.
In September 2025, MagicSword discovered over 200 Microsoft-signed POORTRY variants actively deployed in the wild. Using VirusTotal, we traced a continuous attack campaign spanning from 2022 to today. The implications are sobering:
- Attackers still have active access to compromised Windows Hardware Developer Program accounts
- Microsoft's attestation signing process remains exploitable three years after initial discovery
- Your EDR can be disabled and wiped from disk before ransomware deploys
- Traditional defenses (hash blocking, signature detection) are virtually useless
This isn't ancient history. We found 20+ new POORTRY samples deployed in a single week in September 2025.
What is POORTRY?
POORTRY (also called BurntCigar or Terminator) is a sophisticated kernel-mode driver designed to disable and destroy endpoint security solutions. First documented by Mandiant in 2022, it has evolved significantly:
Evolution Timeline:
- 2022: Terminate EDR processes at the kernel level
- 2023: Enhanced kernel manipulation to bypass modern protections
- 2024: Wipe EDR files from disk (documented by Sophos)
- 2025: Still actively deployed with legitimate Microsoft signatures
Who's Using It:
- Nation-state actors: Lazarus APT (North Korea), UNC3944/Scattered Spider
- Ransomware groups: BlackCat, LockBit, Cuba, Medusa, RansomHub
- Malware-as-a-Service: Available on underground forums for $5,000-$15,000 per deployment
The Microsoft Attestation Signing Crisis
Here's the fundamental problem that Microsoft hasn't solved:
The Windows Hardware Developer Program allows hardware vendors to get drivers signed through an automated attestation process. While designed for legitimate hardware companies, threat actors have systematically compromised this system.
The Attack Chain:
- Compromise or create fake Windows Developer Program accounts
- Submit malicious driver for attestation signing
- Microsoft's automated process fails to detect malware
- Receive legitimate Microsoft signature
- Deploy ransomware with Microsoft-signed EDR killer
Why Traditional Blocking Fails:
Each attestation signing request generates a unique leaf certificate with a different TBS hash. This means:
- β You can't block by certificate hash (200+ unique certificates exist)
- β You can't block by TBS hash (each variant is different)
- β You can't block the root CA (it's Microsoft that breaks all Windows hardware)
Attackers play "certificate roulette" if one variant gets blocked, they deploy another in 30 seconds.
Our Discovery: How We Found 200+ Active Variants
We started with a single known POORTRY sample from Mandiant's 2022 research and used VirusTotal's relationship pivoting to uncover the full scope of the campaign.
What We Found:
π 200+ variants identified through forensic clustering
π 20+ new samples deployed in one week (Sept 23-29, 2025)
π Multiple signing methods: Microsoft attestation + revoked certs + expired certs
π Consistent forensic signature: All ~2.5MB, VMProtect-packed, same behavioral patterns
The Smoking Gun:
We discovered POORTRY samples from September 2025 using a certificate from Blueone Technology Co., Ltd. that expired in 2013 over 12 years ago.
What Happens During a POORTRY Attack
Understanding the attack sequence is crucial for CISOs:
Phase 1: Initial Compromise (via phishing, RDP, or exploited RMM tool)
Phase 2: POORTRY Deployment (typically to C:\Windows\ with random 5-8 character filenames)
Phase 3: EDR Impairment (5-10 minutes)
- Patches security callback functions at the kernel level
- Disables process creation monitoring
- Detaches Windows Filter Manager from file systems
- Targets 192 different security products
Phase 4: EDR Wiping (2-5 minutes)
- Terminates security services
- Locates EDR installation paths
- Deletes .exe, .dll, and .sys files
- Removes all traces of protection
Phase 5: Ransomware Deployment (often within 30 minutes)
- Zero endpoint visibility
- EDR cannot restart (files deleted)
- Incident response blind to what happened
Sophos documented a July 2024 RansomHub attack where POORTRY completely wiped EDR components before ransomware deployment. The EDR couldn't restart because the files were gone.
The "Certificate Roulette" Problem
Sophos researchers observed this attack pattern in real incidents:
Minute 0: Deploy POORTRY variant A (Cert: Bopsoft)
ββ Blocked by behavioral rule
Minute 0.5: Deploy POORTRY variant B (Cert: Evangel Technology)
ββ Different signature = bypasses block
ββ EDR killed before detection completes
Minute 2: Deploy ransomware
ββ No security software running
This is why hash-based or single-certificate blocking fails. Attackers have 200+ signed variants ready to deploy.
What CISOs Need to Know
The Strategic Reality
Your EDR Can Be Bypassed Traditional endpoint security assumes it can't be killed at the kernel level. POORTRY proves otherwise.
Microsoft Signatures Are Not Trustworthy A Microsoft signature used to mean "safe." Now it means "Microsoft's automated process didn't catch it."
This is a Systemic Issue 200+ variants over 3 years means this isn't one compromised account, it's a persistent pipeline that Microsoft hasn't shut down.
Revocation Doesn't Work Fast Enough By the time Microsoft revokes one certificate, attackers have obtained 10 more.
The Tactical Problem
Your detection gap after POORTRY loads: Complete.
Time from EDR kill to ransomware deployment: Often under 30 minutes.
Your incident response capability: Blind (no endpoint telemetry, deleted logs).
Questions for Your Security Team
As a CISO, you should be asking:
- Can our EDR be killed? Have you red teamed this? Test it.
- What's our detection if EDR is disabled? Do we have network monitoring? Cloud-based detection? What happens when endpoint visibility goes dark?
- Do we have driver allowlisting? If not, any signed driver can load, including POORTRY.
- Are we monitoring for behavioral indicators? Mass process termination, file deletion in security directories, kernel callback manipulation?
- What's our incident response plan if EDR is wiped? Can we recover? How quickly? Do we have offline backups of EDR installers?
The Bigger Picture: A Trust Model Failure
The POORTRY crisis represents a fundamental failure of the trust model underpinning Windows security:
- Automated processes cannot detect malware reliably
- Compromised developer accounts remain active for years
- Unique leaf certificates defeat traditional blocking
- Legacy policy exceptions create permanent backdoors
For defenders, this means:
- β Don't rely on EDR alone (assume it can be killed)
- β Implement defense-in-depth (network monitoring, log aggregation)
- β Deploy behavioral detection (process patterns, not signatures)
- β Subscribe to specialized threat intelligence (generic feeds miss driver-based threats)
For Microsoft, the attestation signing process needs fundamental reform:
- β Malware scanning before signing
- β Manual review for anomalous submissions
- β Rapid revocation pipeline
- β Close the pre-2015 certificate loophole
Until these changes happen, this crisis will continue.
Key Indicators of Compromise
Recent Active Samples (September 2025):
SHA256: 7c5329b842cc3eaf1ec6c11b00e09a8c5e38ad14134b40a8bae3eda0a167a919
First Seen: September 29, 2025
Signer: Blueone Technology (expired 2013!)
Detection: 24/73 engines (32.9%)
VT Link: https://www.virustotal.com/gui/file/7c5329b842cc3eaf1ec6c11b00e09a8c5e38ad14134b40a8bae3eda0a167a919
SHA256: 06478f0fc40ad5dcd06369a59a2bf351a3df511df53ceecca5d2819d7e5e69f3
First Seen: September 26, 2025
Signer: Shenzhen yundian Technology (expired 2014, REVOKED!)
Detection: 30/73 engines (41.1%)
VT Link: https://www.virustotal.com/gui/file/06478f0fc40ad5dcd06369a59a2bf351a3df511df53ceecca5d2819d7e5e69f3
File Characteristics:
- Size: 2.4-2.7 MB
- Packer: VMProtect
- Signature: Microsoft attestation or expired Chinese certificates
- Filenames: Random 5-8 character names in C:\Windows\
Behavioral Indicators:
- Sequential security process termination
- File deletion in: C:\Program Files\[EDR Vendor]\
- Kernel callback manipulation
- Windows Filter Manager detachment
How MagicSword Can Help
Traditional threat intelligence gives you hashes that are obsolete by the time you receive them. By the time a hash is published, attackers have deployed 10 new variants.
MagicSword's EDR Killer Feed provides:
π Certificate-Based Intelligence
- Track emerging certificates before widespread abuse
- Monitor attestation signing patterns for anomalies
π Real-Time Campaign Tracking
- Which ransomware families are bundling it
- Underground forum pricing and availability
Why it matters: We found 20 new POORTRY variants in September 2025 alone. Our feed customers were protected before these samples appeared in public threat intelligence.
Learn more:
- π Visit: https://portal.magicsword.io/dashboard/signin/signup?utm=linkedin
- π§ Contact: info@magicsword.io
Free Resources:
- LOLDrivers Project - Vulnerable & Malicious Drivers database
The Bottom Line
Three years after initial discovery, POORTRY remains a critical threat:
β Still obtaining Microsoft signatures
β Still deploying with ransomware groups
β Still bypassing modern EDR solutions
β Still using expired certificates from 2013
β Still evolving (EDR wiper capabilities added in 2024)
This is not a historical threat. This is happening right now.
The September 2025 samples we discovered prove that attackers maintain persistent access to Microsoft's signing infrastructure. Until Microsoft fundamentally reforms the attestation signing process, defenders must assume:
- Your EDR can be killed
- Microsoft signatures are not automatically trustworthy
- Hash-based blocking is insufficient
- Defense-in-depth is mandatory
For security leaders: This is a board-level risk. The question isn't "Can our EDR be bypassed?" It's "What's our detection and response capability when it is?"
Additional Resources
Primary Research:
- Mandiant: Hunting for Attestation Signed Malware (2022)
- Sophos: Burnt Cigar 2 - POORTRY Evolution (2024)
- SentinelOne: Driving Through Defenses
- BleepingComputer: POORTRY Evolves into Full EDR Wiper
Our Analysis:
- VirusTotal: POORTRY Sept 2025 Sample
- VirusTotal: POORTRY Oct 2022 Original
- LOLDrivers.io - Vulnerable Drivers Database
Last Updated: October 14, 2025
Threat Level: π΄ Critical
Campaign Status: Active
MagicSword Monitoring: Ongoing
MITRE ATT&CK Mapping: T1562.001 (Impair Defenses), T1068 (Privilege Escalation), T1014 (Rootkit), T1070.004 (File Deletion)
About MagicSword Threat Intelligence
MagicSword specializes in hunting advanced threats that traditional defenses miss. This discovery was made through advanced VirusTotal pivoting, forensic clustering analysis, certificate chain analysis, and continuous campaign tracking.
Our mission: Provide security teams with actionable intelligence that stops threats before they become breaches.
Written by
Michael Haag
Threat Researcher
In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.
