Chasing the Silver Fox: Cat & Mouse in Kernel Shadows research.checkpoint.com/2025/silv…

Check Point Research (CPR) uncovered an ongoing in-the-wild campaign attributed to the Silver Fox APT which involves the abuse of a previously unknown vulnerable driver, amsdk.sys (WatchDog Antimalware, version 1.0.600). This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers.

The attackers leveraged this unknown vulnerable driver to terminate protected processes (PP/PPL) associated with modern security solutions, allowing EDR/AV evasion on fully updated Windows 10 and 11 systems without triggering signature-based defenses. A dual-driver strategy was employed to ensure compatibility across Windows versions: a known vulnerable Zemana driver for legacy systems, and the undetected WatchDog driver for modern environments. Both were embedded in a single self-contained loader which also included anti-analysis layers and the ValleyRAT downloader.

Following CPR’s disclosure, the vendor released a patched driver (wamsdk.sys, version 1.1.100). Although we promptly reported that the patch did not fully mitigate the arbitrary process termination issue, the attackers quickly adapted and incorporated a modified version of the patched driver into the ongoing campaign. By flipping a single byte in the unauthenticated timestamp field, they preserved the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists. This subtle yet efficient evasion technique mirrors patterns seen in earlier campaigns.

The final payload delivered in all observed samples was ValleyRAT, a modular Remote Access Trojan attributed to the Silver Fox APT with infrastructure located in China.

This campaign highlights a growing trend of weaponizing signed-but-vulnerable drivers to bypass endpoint protections and evade static detection.