A threat actor known as Silver Fox is attributed to the abuse of previously unknown vulnerable drivers associated with Watchdog Anti-Malware as part of your own Vulnerable Driver (BYOVD) attacks aimed at disarming security solutions installed on compromised hosts.
The vulnerable driver in question is “AMSDK.SYS” (version 1.0.600), a valid, 64-bit signed Windows kernel device driver rated as being built on the Zemana Anti-Malware SDK.
“The driver based on the Zemana Anti-Malware SDK is signed by Microsoft, not listed on Microsoft’s vulnerable driver block list, and was not detected in community projects like Loldrivers,” Check Point said in the analysis.
This attack is characterized by a dual driver strategy in which a known vulnerable Zemana driver (“Zam.exe”) is used on Windows 7 machines and an undetected watchdog driver for systems running on Windows 10 or 11.
Watchdog anti-malware drivers are known to contain multiple vulnerabilities. First, it is the ability to terminate any process without checking whether the process is protected (PP/PPL). It is also susceptible to local privilege escalations, allowing attackers to gain unlimited access to the driver’s devices.
The ultimate goal of the campaign, first discovered at Checkpoint in late May 2025, is to leverage these vulnerable drivers to neutralize endpoint protection products and create a clear path to malware deployment and persistence without causing signature-based defenses.
As previously observed, the campaign is designed to provide ValleyRat (aka Winos 4.0) as the final payload, providing remote access and control capabilities for threat actors. The cybersecurity company said the attack employs anti-analytics capabilities, two embedded drivers, anti-virus killer logic, and ValleyRat DLL downloader in one binary.
“When running, the sample performs several common anti-analytic checks, including anti-VM (detecting virtual environments), anti-sandbox (detecting runs within sandboxes), and hypervisor detection,” says Checkpoint. “If any of these checks fail, execution will be aborted and a fake system error message will be displayed.”
The downloader is designed to communicate with a Command and Control (C2) server to retrieve modular Valley Rat backdoors to infected machines.
Following the responsible disclosure, Watchdog has released a patch (version 1.1.100) to address LPE risks by implementing a strong discretionary access control list (DACL) while not plugging in any process termination issues. This had the side effect of changing a single byte without disabling Microsoft’s signature, which allowed the attacker to adapt quickly, quickly adapt and incorporate the modified version.
“By flipping a single byte in an uncertified timestamp field, it saves the driver’s valid Microsoft signatures and effectively bypasses hash-based block lists while generating a new file hash,” Check Point said. “This subtle and efficient evasion technique reflects the patterns seen in previous campaigns.”
“This campaign shows how threat actors work to weaponize unknown, signed drivers beyond known weaknesses. This is a blind spot for many defense mechanisms. Microsoft signed, previously unclassified, exploitation of vulnerable drivers, and evasive techniques such as signature manipulation represent sophisticated and evolving threats.”
Silver Fox, also known as Swimsnake, the great thief of Valley (or Valley Thief), UTG-Q-1000 and Void Arachne, has been rated very active since early last year, targeting Chinese-speaking victims using fake websites to supply Troijek to supply tools for remote access, primarily using Google Chrome, Telegram and Artificial Intelligence (AI).
According to Chinese cybersecurity vendor Antiy, the hacking group is believed to have been around since late 2022, and has targeted domestic users and businesses in attempts to steal secrets and fraud.
“Cybercrime groups spread malicious files primarily through instant messaging software (such as WeChat, Enterprise Wechat), search engine SEO promotions, phishing emails and more,” the company said. “The ‘swimsuit’ cybercrime group is frequently updating its malware and avoidance methods. ”
The attacks serve valet rats that include online modules that can capture screenshots of WeChat and online banks using Trojanized open source software, malicious programs built using QT frameworks, or MSI installers disguised as Youdao, Sogou AI, WPS Office, and Deepseek.
The development aims to detail another campaign that Qianxin has been mounted by a “finance group” within Silver Fox, targeting financial people and managers of businesses and institutions to loot and directly profit from sensitive financial information through fraud.
These attacks leverage tax audits, e-invoices, grant announcements, and human resources-related fishing ladies to deceive users, run remote access trojans, and rely on legitimate cloud services such as Alibaba Cloud OSS and Youdao Cloud Notes to host malicious payloads to attempt detection.
The Finance Group is one of four subclusters of Silver Fox, with the other three being the News and Romance Group, Design and Manufacturing Group, and Black Water Ring Hall Group.
Interestingly, after the financial group gains control of the victim’s computer through methods such as hole attacks and phishing, they take over the victim’s social media accounts and use them to send phishing QR codes to various WeChat group chats with the aim of harvesting bank account numbers and passwords from group members, ultimately draining funds from the bank account for profit.
“The UTG-Q-1000 is one of China’s most active and offensive cybercrime groups in recent years. Their businesses are highly organized, technologically refined and economically motivated,” Qianxin says. “They have established a complete black market profit chain that includes spying (data theft), remote control with malware, financial fraud and phishing.”
Source link
