Eh...sorry noob question from me.
Potentially with Drivers not loaded, can it be a chance which malware perform a check and potentially lay dormant and evade?
Sorry just thinking out loud from my tiny brain
A clarification, in safe mode many drivers are not loaded, but I mean drivers of some software and applications, not only related to malware.
Trying to answer your question, malware context is extremely complex and everything is possible.
For example, because of my work, I've analyzed Stuxnet, and it was designed to harm only those systems with special requirements, while remaining totally dormant in not affected systems. In particular, the malware attacks only Siemens Step7 systems, otherwise the malware itself is designed to be inoperable.
Probably, in the same way some malware activates just secondary sub-routines, causing an infection only in certain situations.
Many malware use drivers, for example some rootkits are implemented by a kernel-mode driver that starts itself during the Windows boot process. When files and registry keys have been hidden, they may not have access to any user-mode process.
Pure rookits seem to be less frequent, but many malicious codes implement rootkits techniques in the attack surface.
In this context, the malware hooks the native core API that allow a driver to be loaded in the kernel and analyzing the Windows API it is possible to identify a call that runs native routine to load the driver into memory by running it.
Of course they there are many ways for drivers to be loaded into memory and executed.