HOMETHREATSNetfilterRootkit
MALWARE FAMILY

NetfilterRootkit

Internal ID: win.netfilter
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

NetfilterRootkit is a WFP application layer enforcement callout driver which is signed by Microsoft via the Windows Hardware Compatibility program. It was first discovered by Karsten Hahn. His team submitted the malware to Microsoft, which allowed Microsoft to start an investigation.

After Karsten Hahn published tweets and an article about the rootkit, Microsoft quickly responded with their own article. Their investigation revealed Chinese gamers as targets of the malware. The rootkit redirects traffic to the threat actor's IP. The threat actor can use the driver to spoof their geo-location to cheat, but it also allows account compromise of targeted players.

While this particular rootkit is not significant anymore, similar rootkits have been created since that are also signed by Microsoft via the Windows Hardware Compatibility program.

Threat Analysis

NetfilterRootkit is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.netfilter

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.