← All drivers
vulnerable
Driver

wsftprm.sys

Topaz Antifraud (bank fraud-prevention driver)

From Topaz Evolution
Status
On a known-vulnerable list
Known variants
2 distinct hashes
Public CVEs
1
Field notes

wsftprm.sys is a kernel driver from Topaz Evolution's Topaz Antifraud product, a fraud-prevention plugin used primarily by Brazilian and Spanish banks. A normal gamer would not have it unless their online banking with one of those institutions installed it as part of the bank's security stack.

CVE-2023-52271, disclosed by Tijme Gommers, Jan-Jaap Korpershoek, and Alex Oudenaarden at Northwave Cyber Security in October 2023, documents that the driver allowed any local user to terminate Protected Process Light targets through its IOCTL interface. That class of target includes Microsoft Defender and most endpoint-protection processes. Topaz patched the driver on October 10, 2023.

BYOVD research catalogs and the public Northwave advisory noted that the driver was not on Microsoft's Vulnerable Driver Blocklist at the time of disclosure, which made it a convenient signed primitive for criminal threat actors looking to disable endpoint protection.

If you find it and you do not bank with a Brazilian or Spanish institution that uses Topaz, look at what installed it. If you do, the bank's portal is how the plugin updates.

What the record shows

wsftprm.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

Public CVEs
What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “wsftprm.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/wsftprm-sys