Post

DragonBreath A Critical 0-Day Vulnerability in the Kernel

Posted
By ictsec.pl
1 min read
DragonBreath A Critical 0-Day Vulnerability in the Kernel

DragonBreath: A Critical 0-Day Vulnerability in the Kernel 🚨

This report documents a critical 0-day vulnerability in dragoncore_k.sys, a Windows kernel-mode driver bearing a valid Microsoft WHQL signature issued to Zhengzhou 403 Network Technology Co., Ltd. The driver exposes an unauthenticated IOCTL interface that permits any process with local administrative rights to terminate arbitrary processes from Ring 0 – including those protected by Protected Process Light (PPL) – completely blinding EDR and AV solutions.

Key Findings 🔍

  • Investigation of the signing entity reveals a pattern consistent with a Chinese state-adjacent shell company operating within the Dragon Breath APT (APT-Q-27) ecosystem.
  • The company’s GlobalSign EV certificate was explicitly revoked for abuse.
  • The driver’s IOCTL kill mechanism is functionally identical to ollama.sys, the kernel driver used in that same APT campaign.

Technical Details ⚙️

Static reverse engineering of the driver’s IRP dispatch table reveals that the handler for IOCTL code 0x22201C accepts a user-supplied buffer containing a Process ID and passes it directly – without any validation – to ZwTerminateProcess. The handler does not verify the calling thread’s integrity level, does not require SeDebugPrivilege, and does not check whether the target is a PPL-protected process. Since the call is issued from Ring 0, the Windows kernel treats it as a trusted system request, bypassing all user-mode PPL enforcement.

Deployment Insights 📈

VirusTotal relationship data for dragoncore_k.sys reveals 16 distinct execution parents – all classified as Win32 EXE with detection rates ranging from 47/70 to 57/72, confirming the driver is exclusively deployed via purpose-built malicious droppers rather than any legitimate software context. The dropper submissions cluster tightly between December 21, 2024, and January 24, 2025 – immediately following the driver’s November 2024 compilation date.

Conclusion 📝

Zhengzhou 403 Network Technology Co., Ltd. is registered in Zhengzhou, Henan Province, China. The company held a WHQL hardware developer account with Microsoft and an EV code-signing certificate from GlobalSign – subsequently explicitly revoked for abuse. No verifiable product portfolio, public website, commercial history, or customer base has been identified.

To read the complete article see: Read full article

CYBERSECURITY
MALWARE VULNERABILITY CYBERSECURITY WINDOWS
This post is licensed under CC BY 4.0 by the author.