Genshin Impact’s Anti-Cheat System Is Being Used To Spread Ransomware

Over the past few years, there have been increasing concern about the serious security threats posed by kernel-mode anti-cheat systems. It turns out that the threat is very, very real as Genshin Impact’s anti-cheat driver is reportedly being used by a malicious actor to spread ransomware by stopping all antivirus processes.

According to a whitepaper written by Trend Micro, mhyprot2.sys, a kernel-level driver used by Genshin Impact to detect and deter cheaters, is being used to gain root access to a system allowing malware developers unimpeded access to various system process and services. And, it gets worse. The driver can’t be deleted and can be used even when Genshin Impact isn’t installed or has already been uninstalled.

“Security teams and defenders should note that mhyprot2.sys can be integrated into any malware,” wrote the whitepaper’s authors. “Genshin Impact does not need to be installed on a victim’s device for this to work; the use of this driver is independent of the game.”

“This module is very easy to obtain and will be available to everyone until it is erased from existence,” reads the paper. “It could remain for a long time as a useful utility for bypassing privileges. Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.”

Kernel-level anti-cheat systems, however, are very effective at weeding out cheaters which is why it’s used by plenty of other games, including Riot Games’ popular competitive shooter Valorant. Riot’s Vanguard anti-cheat software raised concern among players when it was first announced due to the fact that it runs as soon as Windows boots up and continues to run even when you’re not playing the game. But for some gamers, the risk is well worth it.

Unfortunately, now that the vulnerability has been discovered, it’s undoubtedly opened the flood gates to more potential abuse.