NetfilterRootkit
Intelligence Profile
NetfilterRootkit is a WFP application layer enforcement callout driver which is signed by Microsoft via the Windows Hardware Compatibility program. It was first discovered by Karsten Hahn. His team submitted the malware to Microsoft, which allowed Microsoft to start an investigation.
After Karsten Hahn published tweets and an article about the rootkit, Microsoft quickly responded with their own article. Their investigation revealed Chinese gamers as targets of the malware. The rootkit redirects traffic to the threat actor's IP. The threat actor can use the driver to spoof their geo-location to cheat, but it also allows account compromise of targeted players.
While this particular rootkit is not significant anymore, similar rootkits have been created since that are also signed by Microsoft via the Windows Hardware Compatibility program.
Threat Analysis
NetfilterRootkit is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.