changsha.sys
EDR killer (stolen Changsha Hengxiang certificate)
changsha.sys is a malicious kernel driver used in data-extortion operations to disable endpoint protection software. It was signed with a stolen code-signing certificate from Changsha Hengxiang Information Technology Co., Ltd., a Chinese company. Sophos documented it in the context of Medusa operations in late 2024 and early 2025, alongside other malicious drivers signed with the same compromised certificate.
The driver masquerades as a CrowdStrike Falcon Sensor component to blend in among legitimate security drivers on the system. It is on the public LOLDrivers list.
Not a legitimate vendor driver. Presence indicates active compromise by a criminal threat actor. If found, escalate to incident response.
changsha.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “changsha.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/changsha-sys
