← All drivers
malicious
Driver

changsha.sys

EDR killer (stolen Changsha Hengxiang certificate)

From Unknown criminal threat actor (signed with stolen certificate)
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

changsha.sys is a malicious kernel driver used in data-extortion operations to disable endpoint protection software. It was signed with a stolen code-signing certificate from Changsha Hengxiang Information Technology Co., Ltd., a Chinese company. Sophos documented it in the context of Medusa operations in late 2024 and early 2025, alongside other malicious drivers signed with the same compromised certificate.

The driver masquerades as a CrowdStrike Falcon Sensor component to blend in among legitimate security drivers on the system. It is on the public LOLDrivers list.

Not a legitimate vendor driver. Presence indicates active compromise by a criminal threat actor. If found, escalate to incident response.

What the record shows

changsha.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “changsha.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/changsha-sys