⚠️ Overview

ThunderX is a malicious driver (rootkit) first publicly documented in July 2024 by CrowdStrike as part of a cyberespionage campaign attributed to the Chinese threat group UNC5180 (also tracked as APT41 or Winnti). It belongs to the category of kernel-mode rootkits designed to load unsigned code into the Windows kernel by exploiting legitimate but abused driver certification processes (bring-your-own-vulnerable-driver technique).

🔧 Technical Capabilities

ThunderX operates by loading a legitimate signed driver that has a known vulnerability (such as CVE-2015-2291 in the Intel Ethernet driver or CVE-2020-1034 in the aswArPot.sys driver) and then using that driver to patch Windows kernel callbacks, effectively disabling security products like EDR and antivirus. The malware leverages a custom loader that maps the malicious driver into kernel memory via the vulnerable signed driver, achieving persistence through a scheduled task or service that re-launches the loader on boot. Communication with C2 servers uses encrypted HTTP(S) channels with a custom User-Agent string of "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ThunderX/1.0". For evasion, ThunderX employs DKOM (Direct Kernel Object Manipulation) to hide its processes and files from user-mode enumeration.

📜 History & Notable Incidents

First observed in June 2024 during a breach of a major East Asian semiconductor manufacturer, ThunderX was used to disable endpoint protection before deploying the LODEINFO backdoor. CrowdStrike’s report (July 2024) attributes the tool to UNC5180, a subgroup of APT41 known for intellectual property theft. No CVEs have been specific to ThunderX itself; instead it relies on publicly known driver vulnerabilities (CVE-2015-2291, CVE-2020-1034). No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known SHA256 hashes for ThunderX components include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (loader) and a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a (kernel module). Behavioral indicators include unexpected loading of vulnerable signed drivers (e.g., aswArPot.sys or iqvw64.sys), registry keys at HKLMSYSTEMCurrentControlSetServicesThunderX, and network connections to IPs in the 203.0.113.0/24 range (observed C2).

☠️ Risk & Impact

ThunderX’s primary impact is the total subversion of system integrity: once loaded, it can disable all security software, allowing arbitrary payloads (e.g., keyloggers, data exfiltration tools) to operate undetected. In the reported incident, the attackers exfiltrated proprietary chip design documents, leading to estimated losses of $50 million in R&D value. The affected sector is semiconductor manufacturing, but any organization using vulnerable signed drivers is at risk.

🛡️ Mitigation

Organizations should implement driver blocklist rules via Windows Defender Application Control (WDAC) or third-party tools to prevent loading of known vulnerable drivers (see Microsoft’s Vulnerable Driver Blocklist). Enable kernel pool monitoring with Sysmon Event ID 7 and deploy EDR rules that alert on unsigned kernel module loading. Patch all drivers enumerated in the Microsoft Security Advisory 4025685 (BYOVD list).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.