RegPhantom: скрытый Windows-руткит ядра с загрузкой через реестр

RegPhantom identified as a sophisticated Windows kernel rootkit that establishes hidden execution pipes from user mode to kernel mode using the Windows registry. The malware allows attackers to execute arbitrary code in kernel mode by sending encrypted XOR commands through a registry entry that the malicious driver intercepts and processes. Its design prioritizes stealth and minimal visibility, enabling it to run code with elevated privileges while masking activity within normal system operations.

Active development and China-nexus indicators

Technical analysis shows that RegPhantom was active across several samples identified between June and August 2025, indicating ongoing development and maintenance by an attacker likely based in China. The analysis also shows that several samples are signed with valid code signatures from respected Chinese companies, increasing the likelihood of a China-nexus attribution.

The shared code characteristics and consistent development timeline point to a well-organized and persistent threat.

CFG obfuscation complicates analysis

RegPhantom uniquely uses Control Flow Guard (CFG) obfuscation, making both static and dynamic analysis more difficult. The malware’s control-flow graph is bloated with opaque predicates and duplicate blocks, preventing straightforward path resolution during reverse engineering.

Function calls are further obscured through a computed indirect call method, which complicates the ability of disassemblers to track API and internal calls.

What researchers found

During the technical assessment, researchers successfully recovered the kernel driver, but did not find the original user-mode executable or the downstream kernel module intended for loading. However, they created a proof-of-concept trigger demonstrating how an unprivileged user process can use registry interaction to load arbitrary modules into kernel space.

The malware uses registry communication in a way that monitoring tools interpret as invalid access, thereby helping it evade detection.

Why detection is difficult

Detecting RegPhantom requires focusing on the driver binary itself rather than on typical forensic artifacts, because it intentionally avoids leaving traces in common artifact locations such as the registry. The absence of persistent artifacts and the removal of loaded code from memory after execution further complicate detection efforts.

As a result, identifying unique byte patterns in the driver through rules such as YARA analysis is critical for detecting the presence of RegPhantom.

Key takeaways

• RegPhantom is a Windows kernel rootkit that uses the registry as a covert execution channel.
• It enables arbitrary code execution in kernel mode via encrypted XOR commands.
• Samples were observed between June and August 2025, suggesting active maintenance.
• Several samples are signed with valid code signatures from Chinese companies.
• CFG obfuscation and indirect calls significantly hinder reverse engineering.
• Detection should rely on driver-level indicators and YARA rules rather than standard registry artifacts.

Отчет получен из сервиса CTT Report Hub. Права на отчет принадлежат его владельцу.

Ознакомиться подробнее с отчетом можно по ссылке.