← All drivers
malicious
Driver

poortry.sys

POORTRY: Microsoft-signed kernel malware

From Unknown threat actor (Microsoft-signed)
Part of the POORTRY family
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

POORTRY (poortry.sys, poortry1.sysDriverpoortry1.sysPOORTRY variantOpen plate →, poortry2.sysDriverpoortry2.sysPOORTRY variantOpen plate →) is the kernel-mode half of a small toolkit publicly disclosed in December 2022 whose only job is to terminate antivirus and EDR processes. The user-mode loader (called STONESTOP) installs and steers it; the driver exposes an IOCTL surface for killing protected processes from kernel mode.

The reason it is famous, and the reason it sits at the top of every published list of malicious drivers, is that it was signed through Microsoft's own Windows Hardware Quality Labs (WHQL) program. SentinelOne (case 75361) and Mandiant disclosed the toolkit to Microsoft in October 2022; Microsoft published advisory ADV220005 and revoked the certificates used. Investigation revealed that several Microsoft Partner Center developer accounts had been used to submit malicious drivers and obtain Microsoft signatures. Mandiant tracked one user as UNC3944, the SIM-swap-adjacent crew also publicly associated with high-profile telecom and gaming-publisher intrusions.

Unlike most entries in this catalog, POORTRY is not part of any legitimate product. It is malware. Vera notes it on the public record because the security industry has named it, named the disclosure timeline, and named who used it. If this filename is on a system, the answer is not 'update the vendor.' There is no vendor. Take it to incident response.

What the record shows

poortry.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “poortry.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/poortry-sys