Malicious hackers known as Silver Fox APT are exploiting a weakness in outdated drivers to infiltrate Windows 10 and 11 systems, outsmarting EDR/AV software in the process.
A sophisticated cyberattack campaign, known as Silver Fox APT, has been underway since mid-2025. This campaign, which has been confirmed to be associated with the use of ValleyRAT, employs a unique technique involving the exploitation of a vulnerable Microsoft-signed driver.
The initial stage of the attack involves deploying a self-contained loader that embeds multiple drivers and anti-analysis layers. One of the drivers exploited in this campaign is the WatchDog Antimalware driver, specifically version 1.0.60 of the component built on the Zemana Anti-Malware SDK.
Infected machines receive a loader binary that first performs checks against virtual machines, sandboxes, and known analysis environments. If these checks pass, the loader drops two drivers: one legacy Zemana-based driver for older systems and the newer WatchDog Antimalware driver for modern targets.
The exploited WatchDog Antimalware driver bypasses endpoint detection and response (EDR) and antivirus (AV) protections on fully patched Windows 10 and 11 systems. After terminating security processes, the loader decodes and injects a UPX-packed ValleyRAT downloader module into memory.
The altered driver is then seamlessly loaded on target systems, continuing the exploitation cycle. Interestingly, this technique preserves the Microsoft Authenticode signature while generating a new file hash, effectively bypassing hash-based blocklists without altering signature validity.
The nested solution used by Silver Fox APT underscores a broader trend: adversaries weaponizing legitimate, signed drivers and manipulating timestamp countersigns to evade both static and behavior-based detection mechanisms.
The campaign's custom EDR/AV killer logic terminates popular antivirus and endpoint protection services by reading from a Base64-encoded process list of over 190 entries. The final ValleyRAT backdoor payload is fetched by the downloader module.
It's important to note that although WatchDog released a patched driver (wamsdk.sys, version 1.1.100), Silver Fox adapted by flipping a single byte within the unauthenticated attributes of the driver's signature timestamp.
This technique, while subtle, highlights the need for continuous vigilance and proactive measures in cybersecurity. The specific developer company behind this driver is not explicitly mentioned in the available sources. However, the exploitation was publicly reported on September 2, 2025.
The loader's "Termaintor" service ensures persistence for the executed loader stub and facilitates driver loading. The altered drivers are registered as kernel services: the legacy driver under Windows 7, and the newer one under Windows 10/11.
ValleyRAT, also known as "Winos", offers full remote access capabilities including command execution and data exfiltration. This cyberattack campaign serves as a reminder of the ongoing efforts by adversaries to exploit vulnerabilities in signed drivers and the importance of staying updated and secure.
