MagicSword
Back to Blog

A Quiet Contribution, Long Before the Noise: Northwave and LOLDrivers

Not all security research arrives with a launch post. In 2024, Northwave quietly shared vulnerable kernel driver research with LOLDrivers, months before public attention. This post looks at how that work landed, and why quiet contributions matter.

January 21, 20264 min read
“Abstract cybersecurity illustration showing two analysts working quietly on separate computers in red and blue environments, representing collaborative research and early contribution to the LOLDrivers vulnerable driver database.
Blog image

Not everything worth knowing in security arrives with an announcement.

Sometimes it shows up as a direct message, a CSV file, and a long stretch of silence while the work gets done properly.

Back in mid-2024, Alex Oudenaarden from Northwave Cyber Security reached out with a simple question: would LOLDrivers be interested in a set of vulnerable kernel drivers his team had been researching?

There was no launch plan. No blog post queued up. Just a group of researchers doing the unglamorous work of cataloging drivers that could realistically be abused by attackers.

The answer, of course, was yes.

Research before recognition

Northwave’s team had been digging into kernel driver vulnerabilities as part of broader research into privilege escalation and attacker tradecraft. As a side effect of that work, they had identified a number of widely deployed, legitimately signed drivers with vulnerabilities of varying severity.

Some were obvious candidates for abuse. Others were subtler. All of them mattered.

What stood out wasn’t just the volume of findings, but the care taken around disclosure. Drivers still moving through coordinated vulnerability disclosure were held back. Others were shared only once vendors had time to respond.

This wasn’t a dump-and-run contribution. It was measured, deliberate, and responsible.

How it actually landed in LOLDrivers

Northwave shared a CSV - hashes, severity assessments, categories, and notes. From there, the drivers were converted into LOLDrivers entries, enriched, validated against things like WDAC and HVCI behavior, and attributed properly to the researchers involved.

By September 2024, the first wave of Northwave’s research was live in LOLDrivers.

And then… nothing happened.

No announcement. No blog. No post.

The drivers simply existed - quietly - where defenders could find them.

https://www.loldrivers.io/drivers/07c57c69-c8d7-40cf-8bcc-612671427044

https://www.loldrivers.io/drivers/0f64bf7a-2ef2-45ea-af7d-4e7c87d98777

https://www.loldrivers.io/drivers/30e8d598-2c60-49e4-953b-a6f620da1371

https://www.loldrivers.io/drivers/3a9ea9a6-e5e3-439a-b892-1f78dd990099

https://www.loldrivers.io/drivers/424a387e-735e-49d1-99de-f067dcf1c3e9

https://www.loldrivers.io/drivers/48aeea9b-7812-4b25-9835-baaebe7dc551

https://www.loldrivers.io/drivers/4cb95b41-43b4-4806-b536-ae5fd8c76b0e

https://www.loldrivers.io/drivers/5076e737-6744-4266-bef7-bceda65050d6

https://www.loldrivers.io/drivers/8a1a4a5d-3e41-4539-80cd-0cb751f7fab3

https://www.loldrivers.io/drivers/c44e6197-efab-49d2-8a5f-04ae4a0f0ea0

https://www.loldrivers.io/drivers/c8619f49-8e23-489b-9878-53d27533da15

https://www.loldrivers.io/drivers/d9e9fab2-6b64-4c14-b1ec-7af1923c0773

https://www.loldrivers.io/drivers/ea0e7351-b65c-4c5a-9863-83b9d5efcec3

That’s kind of the point

LOLDrivers has never been about being loud.

A lot of the drivers in the project follow the same pattern as Northwave’s:

  • identified early
  • documented carefully
  • added without fanfare
  • rediscovered much later as “new” by someone else

The value isn’t in the announcement.It’s in the time between discovery and exploitation.

By the time certain drivers resurface publicly - often framed as newly weaponized - they’ve sometimes been sitting in LOLDrivers for months or years.

Northwave’s contribution fits squarely into that pattern.

Why we’re saying something now

Recent attention around BYOVD, and drivers that were quietly tracked long before they trended, felt like the right moment to finally acknowledge this work properly.

Northwave, and researchers like Alex Oudenaarden, Jan-Jaap Korpershoek, and Tijme Gommers, contributed meaningful intelligence to the community without chasing headlines - and that deserves to be said out loud, even if it’s late.

This announcement isn’t about novelty. It’s about credit, context, and continuity.

If you’re doing similar work

This is also how a lot of LOLDrivers grows.

If you’re researching drivers, kernel bugs, or odd behavior in signed code, even if it feels incomplete or “not ready”, there’s space for it. Partial data, early findings, and responsible disclosures all help reduce the window where attackers get to quietly rely on this stuff.

Contributions don’t have to be perfect to be valuable.

You can explore or contribute here:👉 https://loldrivers.io

From intelligence to enforcement

For many defenders, shared intelligence is enough.

For others, especially larger environments, the harder problem is turning that intelligence into something enforceable, repeatable, and scalable.

That’s where MagicSword comes in.

MagicSword exists to take projects like LOLDrivers and apply them operationally, so vulnerable drivers don’t have to wait for rediscovery before they’re blocked across an organization.

If you want protection at scale, MagicSword is here. If you just want the intel, it’s public - and always will be.

Either way, the work only matters if it’s shared.

Michael Haag

Written by

Michael Haag

Threat Researcher

In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.

Continue Reading

View all
Magic Sword
Contact UsRefund PolicyPrivacy PolicyTerms of ServiceBlog

© 2026 MagicSword. All rights reserved.