← All drivers
vulnerable
Driver

driver_win10.sys

Generic-named WHQL-signed driver seen in 2025 intrusions

From No legitimate vendor (abused signed driver)
Status
On a known-vulnerable list
Known variants
2 distinct hashes
Field notes

driver_win10.sys is a name designed to look harmless. It resembles an ordinary Windows file, but no legitimate vendor ships a driver by this name; it carries no product or company identity of its own. The file catalogued under this name on the public LOLDrivers list is a kernel driver that was signed through Microsoft's Windows Hardware Quality Labs (WHQL) attestation program, which let it load even on systems with HVCI memory protection enabled.

The LOLDrivers project, with acknowledgement to researcher Florian Roth, catalogued it after it was observed in 2025 intrusion activity associated with the Black Basta tooling set. Its purpose is to tamper with security software from kernel mode. It is tracked by the signed file and its hashes, not by the generic name, which is exactly the kind of innocuous label this class of driver tends to wear.

Unlike most entries in this catalog, there is no vendor to update and no innocent install that explains it. Presence is evidence on the public record, not a verdict, but if a file by this name is on a system and nothing you installed accounts for it, treat it as material for incident response rather than a utility to clean up.

What the record shows

driver_win10.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “driver_win10.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/driver-win10-sys