Skip to content

Retliften: How Microsoft Wound Up Certifying Malware


In early June, a security researcher for G Data discovered malware within a driver software when the Netfilter driver was flagged by the company’s malware detection system. The researcher, Karsten Hahn, almost marked it as a false positive because it was digitally signed by Microsoft’s Windows Hardware Compatibility Program (see references). Luckily, Hahn investigated further, discovering not only that the driver was malware but that it had been implemented as far back as March (Goodin 2021).

Malware Details

The driver plants several vulnerabilities in the target device, the most malicious being the addition of a rootkit on the device’s local registry using the driver’s certificate from Microsoft’s CA (Certificate Authority). The malware also eavesdrops on SSL transmissions and can utilize keyloggers to put users’ data and logins at risk. The code is set to automatically send packets and other data to proxy IP addresses. This driver also appears to give the attacker the ability to spoof (or mask) their geolocation as any of the victims’. The code frequently repeats the word, “Netfilter,” which is odd because Netfilter is a Linux open-source framework for filtering network traffic. Microsoft is calling the malware, “Retliften,” which is Netfilter spelled backwards (Franceschi-Bicchierai, 2021).

Vulnerability Breakdown

  • Rootkit: a rootkit is usually installed by the victim and initially appears in the form of a trojan (see trojan). Once the rootkit is granted permissions, it grants administrative (or “root”) access to the attacker, remotely. Also known as a Back Door.
  • Trojan: a virus appearing as harmless or even helpful software, to trick the victim into installing it and even granting special permissions to the malware.
  • SSL: Secure Sockets Layer. Most communications between two remote users or between a client and server are made over TLS/SSL connections. Therefore, this would be a common type of packet transmission for online gaming.
  • Keylogger: any hardware or software that logs keystrokes and/or mouse clicks. Common for collecting login information.


The victims have been narrowed down to some video game players in China. Which regions and what specific video games are being held as confidential by Microsoft at this time. The victims have been contacted by Microsoft to alert them of the attack (Goodin, 2021).


A third party developed the hardware drivers and requested the certificate from the Windows Hardware Compatibility Program. This driver software somehow passed Microsoft’s security checks. The hardware manufacturer and third party in question are being held confidential at this time, as well. The victims have been notified of the package details (Goodin, 2021).

What Has Been Done

Microsoft has flagged and is currently investigating the hardware manufacturer and the third-party driver developer that applied for the Windows Certificate. Microsoft is also searching other submissions by these companies for additional signs of malware. They have also included an update to Windows Defender to protect against this malware code signature and are claiming other antivirus software should be capable of protecting against it as well. Microsoft is not offering any comments on how this malware surpassed their security checks in the first place.


Franceschi-Bicchierai, Lorenzo. (2021). Hackers Tricked Microsoft Into Certifying Malware That Could Spy on Users. . Motherboard Tech by Vice. 2021 June 28, 12:54.

Goodin, Dan. (2021). Microsoft-Certified Malware – Microsoft digitally signs malicious rootkit driver. . ARS Technica.  2021 June 29, 15:50.

Microsoft. (2021). Windows Hardware Compatibility Program. . Microsoft. 2021 June 24.

Microsoft. (2021). Windows Hardware Compatibility Program Certification Process. . Microsoft. 2021 June 24.

Chris’s career spans the military, government, and academia. As CEO of TeamWorx Security, Chris spends his time growing and nurturing a team that supports the best customers in the world. As a military veteran, he is passionate and supports military veterans and military veteran entrepreneurs. As an engineer, he loves designing, building, and creating solutions that reside at the intersection of government and commercial industry. Chris is a former lecturer at the Johns Hopkins University Department of Engineering and an adjunct of Advanced Cyber Intelligence at the University of South Florida. Chris received his master’s degree from Norwich University and is a graduate of the Army’s prestigious Ranger School. Chris has spent most of his military career with the Army Rangers, 10th Special Forces Group, and the Intelligence Community.

Back To Top