As you have probably heard, a group known as the Shadow Brokers released a large cache of Windows tools and exploits. One of the exploits installs a kernel mode implant known as DOUBLEPULSAR.  There have been several good articles written on DOUBLEPULSAR already, so I won’t detail repeat that work here.

https://www.renditioninfosec.com/2017/04/doublepulsar-infections-rising/