← All drivers
malicious
Driver

telephonuafy.sys

RedDriver browser traffic hijacker

From Unknown threat actor
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

telephonuafy.sys is a variant of RedDriver, a kernel-mode browser traffic hijacker documented by Cisco Talos. RedDriver uses the Windows Filtering Platform (WFP) to intercept network traffic from popular browsers, with a particular focus on Chinese-language browsers. The driver forges its code-signing timestamp using HookSignTool to bypass Windows driver-signing policies.

RedDriver has been active since at least 2021. Its code incorporates components from HP-Socket (a high-performance networking library) and ReflectiveLoader. Talos assessed that both the developer and the targets are likely Chinese-speaking, based on the browsers targeted and the language of internal strings.

Not a legitimate vendor driver. Presence indicates a browser-hijacking compromise. If found, investigate the scope of intercepted traffic and escalate.

What the record shows

telephonuafy.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “telephonuafy.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/telephonuafy-sys