Anti-cheat software is often necessary to curb cheaters, yet it can be exploited in a game like Genshin Impact. Hackers can apparently take advantage of it on a kernel level, and it’s obviously not for good reasons.
The gist of the issue is tied to a driver known as mhyprot2.sys, which is used for Genshin Impact’s anti-cheat.
Several tech-based websites have reported that ransomware attacks have occurred with that driver being used to bypass privileges. Worst of all, the game doesn’t need to be installed for this to happen. Unsurprisingly, this has led to some people having their antivirus killed and ransomware installed on their computers.
Information on Genshin Impact’s questionable anti-cheat software and how hackers can use it
The above video contains some important excerpts from Trend Micro’s report on their findings. Here is a crucial passage from Trend Micro’s report that readers need to understand:
“Analyzing the sequence, we found that a code-signed driver called “mhyprot2.sys“, which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused to bypass privileges. As a result, commands from kernel mode killed the endpoint protection processes.”
mhyprot2.sys does help stop players from blatantly cheating in this game, but it’s also capable of being used for nefarious means. This report also states that mhyprot2.sys can be used alongside any malware, making it far more dangerous than players might realize
The whole report is very technical and interesting to read, but some players might not even understand it. Here is a super succinct summary: Genshin Impact’s mhyprot2.sys can make your system vulnerable.
That doesn’t mean there will be a massive hack taking over millions of players’ data. This report isn’t some doom and gloom type of scenario. Instead, it’s proof that some ransomware attacks have been happening lately due to Genshin Impact’s anti-cheat driver.
The report talks about it being used alongside other files to “mass-deploy ransomware.”
The examples used in the report include:
- logon.bat: Executes HelpPane.exe and svchost.exe while killing the victim’s antivirus
- HelpPane.exe: Installs mhyprot2.sys (which comes from Genshin Impact’s anti-cheat)
- svchost.exe: Includes the ransomware
It’s extremely easy to obtain mhyprot2.sys, considering that the game it’s from is one of the most popular in the world. The report recommends that players monitor their computers, along with some recommendations for antivirus to detect any suspicious files before it’s too late.
If it’s active only when the player plays Genshin Impact, that’s fine. Any other instance is when it’s likely a cause for concern.
HoYoverse did comment on this issue back in late August 2022, stating:
“We’re currently working on this case, and will find a solution as soon as possible to safeguard players’ safety and stop potential abuse of the anti-cheat function. We will keep you posted once we have further progress.”
There hasn’t been much news since then. It’s not as if HoYoverse can remove the already vulnerable driver from the hands of hackers, so it will be interesting to see how they try to prevent this issue from arising in the future.
Edited by Sijo Samuel Paul