In mid-2025, cybersecurity researchers identified a sophisticated campaign orchestrated by the Silver Fox Advanced Persistent Threat (APT) group. This state-sponsored entity has been exploiting a previously undisclosed vulnerability in the WatchDog Antimalware driver (amsdk.sys, version 1.0.600) to compromise fully patched Windows 10 and 11 systems. By leveraging this Microsoft-signed driver, Silver Fox effectively bypasses endpoint detection and response (EDR) and antivirus (AV) protections without triggering signature-based defenses.
Attack Methodology
The attack initiates with the deployment of a self-contained loader embedded with multiple drivers and anti-analysis layers. Upon infection, the loader performs checks to detect virtual machines, sandboxes, and known analysis environments, ensuring it operates only in genuine user environments. Once these checks are cleared, the loader drops two drivers into the `C:\Program Files\RunTime` directory:
– A legacy Zemana-based driver for compatibility with older systems.
– The newer WatchDog Antimalware driver for modern Windows 10 and 11 systems.
These drivers are then registered as kernel services:
– The legacy driver under `ZAM.exe` for Windows 7.
– `amsdk.sys` for Windows 10 and 11.
The loader’s Terminator service ensures persistence for the executed loader stub, while `Amsdk_Service` facilitates driver loading.
Exploitation of the Vulnerable Driver
After driver registration, the campaign’s custom EDR/AV killer logic opens a handle to the vulnerable driver’s device namespace (`\\.\amsdk`) and issues IOCTL calls to register the malicious process and terminate protected security service processes. The termination routine reads from a Base64-encoded process list of over 190 entries, encompassing popular antivirus and endpoint protection services. It then sends `IOCTL_TERMINATE_PROCESS` commands via `DeviceIoControl` to eliminate running defenses.
By exploiting the driver’s lack of a `FILE_DEVICE_SECURE_OPEN` flag and missing Protected Process (PP) and Protected Process Light (PPL) checks, Silver Fox achieves reliable AV evasion.
Payload Deployment
Following the termination of security processes, the loader decodes and injects a UPX-packed ValleyRAT downloader module into memory. This module connects to command-and-control (C2) servers hosted in China, decrypts configuration traffic using a simple XOR cipher, and fetches the final ValleyRAT backdoor payload. ValleyRAT, also known as Winos, offers full remote access capabilities, including command execution and data exfiltration, confirming the campaign’s attribution to Silver Fox.
Detection Evasion through Signed-Driver Manipulation
Although WatchDog released a patched driver (wamsdk.sys, version 1.1.100) following disclosure, Silver Fox quickly adapted by modifying a single byte within the unauthenticated attributes of the driver’s signature timestamp. This subtle alteration preserved the Microsoft Authenticode signature while generating a new file hash, effectively bypassing hash-based blocklists without altering signature validity. The altered driver is then seamlessly loaded on target systems, continuing the exploitation cycle.
This technique underscores a broader trend: adversaries weaponizing legitimate, signed drivers and manipulating timestamp countersigns to evade both static and behavior-based detection mechanisms.
Implications and Recommendations
The Silver Fox campaign highlights the evolving tactics of APT groups in exploiting legitimate drivers to bypass security measures. Organizations are advised to:
– Regularly Update Security Software: Ensure all security solutions are up-to-date to detect and mitigate known vulnerabilities.
– Monitor for Anomalous Activity: Implement robust monitoring to detect unusual behaviors indicative of driver exploitation.
– Employ Driver Blocklisting: Utilize policies to block known vulnerable drivers from loading.
– Enhance Endpoint Security: Deploy advanced endpoint protection solutions capable of detecting and preventing driver-based attacks.
By adopting these measures, organizations can bolster their defenses against sophisticated threats like those posed by the Silver Fox APT group.
