Check Point Research has revealed a sophisticated cyber-espionage campaign led by the Silver Fox APT group, which leverages advanced driver exploitation techniques to evade state-of-the-art endpoint security on Windows 10 and 11 systems.
By abusing previously unknown or unrecognized vulnerabilities in legitimate, Microsoft-signed drivers, these attackers have successfully bypassed even the latest defenses, delivering the dangerous ValleyRAT backdoor undetected.
A Dual-Driver Approach for Stealth and Compatibility
At the core of the operation is a dual-driver strategy ingeniously designed to maximize both stealth and reach. For legacy systems such as Windows 7, Silver Fox deploys a long-known vulnerable Zemana Anti-Malware driver a component already listed on detection blocklists.
For modern machines running Windows 10 or 11, however, the operation harnesses an unknown, unlisted vulnerable driver: WatchDog Antimalware’s amsdk.sys (version 1.0.600), which, until CPR’s disclosure, was Microsoft-signed, absent from official blocklists, and undetected by security community databases.
Both drivers, packaged within a single self-contained loader, enable the arbitrary termination of processes, even those protected by Windows’ key security features, such as Protected Processes (PP/PPL).
This ability to directly disable security tools, including EDR and antivirus suites, effectively clears the way for malware deployment with no early warning signs.
How the Attack Evades Defenses
Upon deployment, the loader establishes persistence and selects the relevant driver for the Windows version.
The campaign utilizes various anti-analysis techniques to evade detection by researchers and sandboxes, including VM and network detection and exclusion lists to prevent execution on analysis platforms.

Once embedded, the malware arsenal, armed with the chosen driver, executes tailored EDR/AV killer logic, terminating a comprehensive list of security-related processes.
After the core defenses are stripped away, the loader delivers its final payload: ValleyRAT, a robust modular remote access trojan associated with infrastructure in China and attributed to Silver Fox APT.
Signature Manipulation: Bypassing Hash-Based Blocklists
When the WatchDog vendor released a patch (wamsdk.sys, version 1.1.100), attackers rapidly adapted by subtly altering a single byte in the driver’s unauthenticated timestamp field.
This crafty modification generates a new file hash, circumventing hash-based blocklists, while preserving the driver’s valid Microsoft signature, thereby maintaining Windows trust and facilitating continued stealthy exploitation.
The Broader Impact
This operation exposes a critical blind spot in security reliance on signed but not scrutinized drivers. Even Microsoft’s Vulnerable Driver Blocklist and community projects, such as LOLDrivers, failed to catch the abused driver.
Security experts emphasize the urgent need for layered, behavior-based detection approaches and the timely application of blocklists and custom rules to counter these evolving threats.
Silver Fox APT’s adaptive tactics underscore the growing danger posed by weaponized, signed drivers and the ongoing race between attackers and defenders in securing the Windows ecosystem.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates