A newly detected cyber campaign is exploiting trusted but vulnerable Windows drivers to bypass security protections and install a remote access tool.
The operation, attributed by Check Point Research (CPR) to the Silver Fox APT group, highlights the risks of attackers exploiting Microsoft-signed drivers that were once considered safe.
Abusing Microsoft-Signed Drivers
At the center of the attack is the WatchDog Antimalware driver (amsdk.sys, version 1.0.600).
Although signed by Microsoft and not previously listed as vulnerable, the driver was abused to terminate processes linked to antivirus and EDR tools, clearing the way for the deployment of ValleyRAT – a modular backdoor capable of surveillance, command execution and data exfiltration.
Silver Fox also relied on an older Zemana-based driver (ZAM.exe) to maintain compatibility across systems ranging from Windows 7 to Windows 11.
Both drivers allowed arbitrary process termination, enabling the attackers to disable even protected processes.
Read more on Windows driver exploitation tactics: Vulnerability in Windows Driver Leads to System Crashes
Researchers found that the group packed all elements into self-contained loader binaries.
Each sample included:
The campaign quickly evolved, producing variants that used new drivers or altered versions of patched drivers to avoid detection.
Evasion and Attribution
One technique involved modifying a patched WatchDog driver (wamsdk.sys, version 1.1.100) by changing a single byte in its timestamp field. Because Microsoft’s digital signature does not cover this field, the driver signature remained valid yet appeared as a new file with a different hash.
Infrastructure used in the attacks was traced to servers in China, while malware configurations specifically targeted security products popular in East Asia. These details, combined with the ValleyRAT payload, led to attribution to the Silver Fox APT.
Although WatchDog released an update addressing local privilege escalation flaws, arbitrary process termination remains possible leaving systems vulnerable.
The CPR research stressed that signature and hash checks alone are insufficient. Security teams are advised to apply Microsoft’s latest driver blocklist, use YARA detection rules and implement behavior-based monitoring to catch abnormal driver activity.
“Our research reinforces the need for ongoing efforts of security vendors and users to stay vigilant against the emerging abuse of legitimate drivers,” CPR wrote.
“Proactive identification, reporting and patching of these vulnerabilities are critical to strengthening Windows systems against evolving threats leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques.”
