Dragon in the Kernel — Part II

Independent Validation, Certificate History & Expanded Driver Arsenal

dragoncore_k.sys | Zhengzhou 403 Network Technology | Cert Graveyard Collaboration

Overview

Following the publication of Part I, Michael Haag (Principal Threat Research Engineer, Splunk) contacted the authors to share that he had independently reported the same Zhengzhou 403 certificate to GlobalSign on May 1, 2025 — nearly a year before Part I was published, and through an entirely separate investigation path.

His report, submitted via the Cert Graveyard community reporting platform, directly triggered the explicit revocation by GlobalSign documented in Part I. Three independent investigators — the Part I authors, Michael Haag, and the MalwareBazaar community tagging — all converged on the same certificate, the same C2 infrastructure, and the same abuse pattern without coordination. This constitutes robust multi-source confirmation.

Beyond validating the Part I findings, Michael's report introduced evidence that had not yet been documented: a prior Zhengzhou 403 EV certificate active from January 2024, and two additional malicious drivers signed under it — including a process-hiding driver compiled directly from a public GitHub rootkit repository, and YDArkDrv.sys, a well-known Chinese offensive kernel toolkit. Together, these findings expand the Zhengzhou 403 operational picture from a single driver to a complete layered kernel-level offensive stack active for over 15 months.

1. Michael Haag's Independent Report to GlobalSign (May 1, 2025)

Michael Haag submitted the following abuse report to GlobalSign on May 1, 2025, using the Cert Graveyard reporting toolchain (certReport):

1.1 Analytical Significance

2. Prior Certificate — January 2024 to January 2025

Michael's report revealed that Zhengzhou 403 held a prior GlobalSign EV certificate active more than a year before the one analyzed in Part I:

3. Drivers Signed Under the 2024 Certificate

3.1 hide_process Driver — GitHub Rootkit with PDB Path Evidence

What the PDB path reveals:

hide_process-master is a publicly available GitHub repository implementing process hiding via EPROCESS doubly-linked list unlinking — a well-documented kernel rootkit technique. The driver modifies ActiveProcessLinks.Flink and ActiveProcessLinks.Blink in the kernel EPROCESS structure, removing the target process from the list iterated by PsGetNextProcess, ZwQuerySystemInformation, and CreateToolhelp32Snapshot.

A process hidden this way:

• Does not appear in Task Manager, Process Explorer, or any user-mode process enumeration tool
• Does not appear in tasklist, Get-Process, or WMI queries
• Remains detectable only via kernel-level cross-view analysis (EPROCESS vs. handle table comparison)
• Is invisible to PsSetCreateProcessNotifyRoutineEx callbacks after the unlinking occurs

Operational security observation: The PDB path shows the operator compiled this directly from a cloned GitHub repository on an Administrator desktop (C:\Users\Administrator\Desktop\). This is minimal OpSec on the development machine — consistent with the i-SOON leaked tooling methodology where operators adapt publicly available offensive security research rather than writing tooling from scratch.

Combined capability with dragoncore_k.sys:

When deployed alongside dragoncore_k.sys, these two drivers form a complementary offensive stack:

Together: blind the security tool, spoof its telemetry, then make the attacker's process disappear from any remaining visibility.

3.2 YDArkDrv.sys — Professional Chinese Rootkit Toolkit

YDArk background:

YDArk is a well-documented Chinese offensive security / rootkit toolkit, widely known in Chinese security research communities since 2019. Its kernel driver component YDArkDrv.sys provides a comprehensive suite of system manipulation capabilities:

4. The Complete Kernel Offensive Stack

Across both certificates, Zhengzhou 403 signed the following coherent offensive toolkit:

No legitimate driver development company produces all five layers of this stack under the same EV certificate across 15 months. This is a coordinated offensive toolkit. Zhengzhou 403 Network Technology Co., Ltd. was its signing vehicle.

5. Revised Operational Timeline

6. Updated Indicators of Compromise

Additional File Hashes

Additional Certificate (2024)

Additional Behavioral Indicators

• PowerShell Add-MpPreference -ExclusionPath commands targeting Common Files\System\* prior to driver load
• CreateService events for unsigned or novel kernel drivers immediately following PowerShell Defender exclusion commands
• Any process-enumeration anomalies where EPROCESS walking returns different results from ZwQuerySystemInformation (indicator of EPROCESS unlinking by hide_process or YDArkDrv.sys)
• SSDT hook detection via integrity verification of KeServiceDescriptorTable entries (YDArkDrv.sys indicator)

7. Conclusions

Michael Haag's independent disclosure transforms the Zhengzhou 403 investigation from a single-discovery finding into a multi-investigator, multi-campaign, multi-certificate confirmed operation spanning at least 15 months of active malicious signing activity (January 2024 – May 2025).

The expanded driver arsenal reveals the full picture of what Zhengzhou 403 was actually signing:

1. dragoncore_k.sys — Kill the EDR, spoof command-line telemetry (Part I)
2. hide_process driver — Hide the attacker's process from kernel enumeration
3. YDArkDrv.sys — Full system-wide stealth across files, registry, drivers, SSDT
4. CobaltStrike Beacon — Persistent C2 with Defender exclusion pre-staging

This is not a collection of opportunistic malware samples. It is a coherent, purpose-built offensive toolkit systematically signed under two consecutive EV certificates by a shell company with no legitimate products, registered address confirmed as an uninhabited hotel-floor address, and a founder whose name possibly matches one in APT31 payroll records..

The natural certificate rotation from the 2024 to the 2025 certificate — timed to avoid revocation scrutiny — demonstrates deliberate operational security planning at the certificate infrastructure level. The Cert Graveyard report by Michael Haag disrupted this rotation by triggering an explicit revocation, cutting the second certificate's operational life from a planned 12 months to approximately 5 weeks.

8. Acknowledgements

Special thanks to Michael Haag (@M_haggis, Principal Threat Research Engineer at Splunk) for independently identifying the Zhengzhou 403 certificate abuse in May 2025, submitting the GlobalSign revocation report that directly triggered the certificate revocation documented in Part I, and sharing his findings with the authors to enable this Part II publication.

Thanks also to Squiblydoo for creating and maintaining Cert Graveyard — the community infrastructure that made it possible to report, track, and revoke this certificate. Without platforms like Cert Graveyard, certificate abuse of this kind would continue undetected for far longer.

9. References

1. Part I — Alex Necula, Ellis Stannard — DragonBreath: Dragon in the Kernel — Ransom-ISAC, April 22, 2026 — https://ransom-isac.org/blog/dragonbreath-dragon-in-the-kernel/
2. Michael Haag — Independent GlobalSign abuse report, May 1, 2025 — via Cert Graveyard / certReport
3. Cert Graveyard — Squiblydoo — Community code-signing certificate abuse reporting platform — https://certgraveyard.org
4. Squiblydoo Blog — The CertGraveyard — https://squiblydoo.blog/2026/04/01/the-certgraveyard/
5. Michael Haag / Splunk — Threat Research — https://www.splunk.com/en_us/blog/author/mhaag.html
6. VirusTotal — Trojanized Telegram sample — ce38c96a... — https://www.virustotal.com/gui/file/ce38c96a69a8a1c6828e11742355c41b878198e08d7efbe73eefa1b5cbe623c5/detection
7. VirusTotal — hide_process driver — 8b5af508... — https://www.virustotal.com/gui/file/8b5af508dcee04dbb7dabdffeff03726ef821182ffdb8a930af57e9e71740440/details
8. VirusTotal — YDArkDrv.sys — 256eebb3... — https://www.virustotal.com/gui/file/256eebb34389854fb0befdbfb75cefb7354c75ab02239695899bdd2f37e1bd73/details
9. any.run sandbox — Trojanized Telegram installer analysis — https://app.any.run/tasks/d59af4e9-9591-4eaa-9f79-404b411041f3
10. MalwareBazaar — Zhengzhou 403 certificate tag — https://bazaar.abuse.ch/browse/tag/Zhengzhou-403-Network-Technology-Co-Ltd/
11. SangYun Shin / Medium — How to Find Processes Hidden by YDArk.exe — https://medium.com/@iamshinsangyun/how-to-find-processes-hidden-by-ydark-exe-18525318164a
12. Elastic Security Labs — RONINGLOADER: DragonBreath's New Path to PPL Abuse — November 15, 2025 — https://www.elastic.co/security-labs/roningloader