The cyber threat group known as Silver Fox has been identified leveraging a previously unknown vulnerability in the WatchDog Anti-malware driver, amsdk.sys (version 1.0.600), to disable security measures on compromised systems. This driver, built upon the Zemana Anti-Malware SDK, is a 64-bit, Microsoft-signed Windows kernel device driver. Notably, it was absent from Microsoft’s Vulnerable Driver Blocklist and undetected by community projects like LOLDrivers.
Silver Fox’s attack strategy involves a dual-driver approach: utilizing a known vulnerable Zemana driver (zam.exe) for Windows 7 systems and the undetected WatchDog driver for Windows 10 and 11 systems. The vulnerabilities in the WatchDog driver include the ability to terminate arbitrary processes without verifying their protection status and susceptibility to local privilege escalation, granting attackers unrestricted access to the driver’s device.
First observed by Check Point in late May 2025, the campaign aims to neutralize endpoint protection products, facilitating malware deployment and persistence without triggering signature-based defenses. The final payload is ValleyRAT (also known as Winos 4.0), providing remote access and control capabilities to the attackers. The attacks employ an all-in-one loader that encapsulates anti-analysis features, two embedded drivers, antivirus killer logic, and the ValleyRAT DLL downloader in a single binary.
Upon execution, the loader performs several anti-analysis checks, including detection of virtual environments, sandbox execution, and hypervisors. If any checks fail, execution is aborted, and a fake system error message is displayed. The downloader then communicates with a command-and-control server to fetch the modular ValleyRAT backdoor onto the infected machine.
Following responsible disclosure, WatchDog released a patch (version 1.1.100) to address the local privilege escalation risk by enforcing a strong Discretionary Access Control List (DACL). However, the arbitrary process termination issue remains unaddressed. Attackers adapted by modifying a single byte in the unauthenticated timestamp field, preserving the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists.
This campaign highlights how threat actors are exploiting previously unclassified, signed drivers—a blind spot for many defense mechanisms. The exploitation of a Microsoft-signed, previously unclassified vulnerable driver, combined with evasive techniques such as signature manipulation, represents a sophisticated and evolving threat.
