2703d3dd-05f0-4ae2-83a2-2ad0939467d0

Cndom6.sys :inline

Description

Signed malicious drivers reported in Silver Fox activity; rwdriver.sys exposes a rootkit IOCTL primitive, while Cndom6.sys and XiaoH.sys are reported as watchdog/support drivers.

  • UUID: 2703d3dd-05f0-4ae2-83a2-2ad0939467d0
  • Created: 2026-06-16
  • Author: Michael Haag
  • Acknowledgement: | BoboZhang0522

Download

This download link contains the malicious driver!

Block Cndom6.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create rwdriver binPath=C:\windows\temp\rwdriver.sys type=kernel && sc.exe start rwdriver
Use CasePrivilegesOperating System
Load malicious signed kernel drivers used for rootkit and watchdog activitykernelWindows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/350

    • Known Vulnerable Samples

    PropertyValue
    FilenameCndom6.sys
    Creation Timestamp
    MD57ddb60de73657cd3b2756965fd2e1269
    SHA1c01d742c730185cc5647b91608acc810b559a89e
    SHA2568c12407a40eab287a8281be64665b1e72b0e91b2daf84030a1a15dc280e5dbf1
    PublisherBeijing Tianshui Technology Co., Ltd.
    OriginalFilenameCndom6.sys

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    FilenameXiaoH.sys
    Creation Timestamp
    MD5e059cf1f9169302a0ff91b0061da1c14
    SHA1900377f5c3418e89ea73356ca2787ea7bdba392a
    SHA25683c4f9abe074d426fc5b08b57058208e4c184bfbe481e7847b67aeb87b04cd4a
    PublisherShanghai Qisi Education Technology Service Co., Ltd.
    OriginalFilenameXiaoH.sys

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenamerwdriver.sys
    Creation Timestamp
    MD55231a08c5286803e300ac657e37272f8
    SHA10ec6faa266d38a8c42ff9ddf116bce4246857ab4
    SHA2561c763af41b74c7502d70093763723939a8025199e0ac7e39c04b5cf992f9e273
    PublisherZTE Corporation
    OriginalFilenamerwdriver.sys

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand

    source

    last_updated: 2026-06-16