Silver Fox APT Exploits Microsoft-Signed Driver to Deploy ValleyRAT Backdoor

Check Point Research (CPR) has uncovered a sophisticated campaign by the Silver Fox APT group leveraging a previously unknown, Microsoft-signed vulnerable driver to disable endpoint protections and deploy the ValleyRAT backdoor across Windows systems.

At the heart of the operation is a driver named amsdk.sys (WatchDog Antimalware, version 1.0.600), built on the Zemana Anti-Malware SDK. According to CPR, “This driver, although built upon the same SDK as previously known vulnerable components, was not classified as vulnerable, was signed by Microsoft, and not detected by Microsoft’s Vulnerable Driver Blocklist or community-driven sources like the LOLDrivers database.”

This allowed attackers to load the driver even on fully updated Windows 10 and 11 systems, bypassing OS-level protections such as Protected Processes (PP/PPL). The driver was abused to terminate security processes, effectively neutralizing antivirus and endpoint detection and response (EDR) solutions.

To maximize reach, attackers employed a dual-driver strategy. As CPR explains, “A dual-driver strategy was employed to ensure compatibility across Windows versions: a known vulnerable Zemana driver for legacy systems, and the undetected WatchDog driver for modern environments. Both were embedded in a single self-contained loader which also included anti-analysis layers and the ValleyRAT downloader.”

This approach enabled Silver Fox APT to evade defenses on both legacy Windows 7 systems and the latest Windows builds.

Even after disclosure, attackers adapted quickly. CPR notes: “Following CPR’s disclosure, the vendor released a patched driver (wamsdk.sys, version 1.1.100). Although we promptly reported that the patch did not fully mitigate the arbitrary process termination issue, the attackers quickly adapted and incorporated a modified version of the patched driver into the ongoing campaign.”

In a subtle but effective move, the attackers “flipped a single byte in the unauthenticated timestamp field, preserving the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists.”

This manipulation highlights the limitations of signature- and hash-based detection when attackers can subtly alter binaries while maintaining valid digital signatures.

The end goal of the campaign is the deployment of ValleyRAT, a modular Remote Access Trojan (RAT). As CPR states, “The final payload delivered in all observed samples was ValleyRAT, a modular Remote Access Trojan attributed to the Silver Fox APT with infrastructure located in China.”

ValleyRAT provides attackers with remote surveillance, command execution, and data exfiltration capabilities, cementing its role as the core espionage tool in the campaign.

The campaign highlights a troubling trend in BYOVD (Bring Your Own Vulnerable Driver) attacks, where adversaries weaponize signed-but-vulnerable kernel drivers to bypass modern security mechanisms. CPR emphasizes: “This campaign highlights a growing trend of weaponizing signed-but-vulnerable drivers to bypass endpoint protections and evade static detection.”

By exploiting trusted Microsoft-signed drivers and modifying patched components, Silver Fox APT demonstrates the increasing sophistication of driver-based exploitation, raising questions about the resilience of signature-based trust models.

Related Posts:

• ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
• Silver Fox APT: Chinese Threat Actor Deploys Trojanized Medical Software in Stealth Espionage Campaign
• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
• Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
• Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware