Silver Fox Exploits Microsoft-Signed WatchDog Driver to Distribute ValleyRAT Malware

Date: September 2, 2025
Categories: Financial Fraud / Endpoint Protection

The threat actor known as Silver Fox has been linked to the exploitation of a previously undetected vulnerable driver associated with WatchDog Anti-malware. This attack, classified as a Bring Your Own Vulnerable Driver (BYOVD) incident, aims to neutralize security solutions on compromised systems.

The specific driver involved, “amsdk.sys” (version 1.0.600), is a 64-bit, validly signed Windows kernel device driver believed to be based on the Zemana Anti-Malware SDK. According to an analysis by Check Point, “This driver, created using the Zemana Anti-Malware SDK, was Microsoft-signed, not included in the Microsoft Vulnerable Driver Blocklist, and evaded detection by community initiatives such as LOLDrivers.”

The attack employs a dual-driver approach, utilizing a known vulnerable Zemana driver (“zam.exe”) for Windows 7 systems, while leveraging the undetected WatchDog driver for Windows 10 and 11 environments. The WatchDog Anti-malware driver has been identified as containing multiple vulnerabilities.

Silver Fox Exploits Microsoft-Signed WatchDog Driver for ValleyRAT Malware Deployment

In a concerning development within the cybersecurity landscape, the threat actor operating under the alias Silver Fox has been linked to the exploitation of an undisclosed vulnerable driver associated with WatchDog Anti-malware. This activity represents a sophisticated Bring Your Own Vulnerable Driver (BYOVD) attack strategy, designed to neutralize security defenses on targeted systems.

The driver in question, identified as “amsdk.sys” (version 1.0.600), is a legitimate, signed Windows kernel device driver that appears to be derived from the Zemana Anti-Malware SDK. According to an analysis by Check Point, this driver holds a Microsoft signature and is absent from the Microsoft Vulnerable Driver Blocklist, making it particularly insidious as it goes undetected by community-driven projects like LOLDrivers.

The attack employs a dual-driver approach, wherein the Silver Fox group leverages a well-known vulnerable Zemana driver, “zam.exe,” for Windows 7 systems, while deploying the undetected WatchDog driver on machines running Windows 10 and 11. This duality allows for a wider range of compromised environments, taking advantage of weaknesses in both older and more current operating systems.

Within the framework of the MITRE ATT&CK Matrix, this incident raises several pertinent tactics and techniques that may have been utilized by the attackers. The initial access may have stemmed from the flawed driver, enabling a foothold within the targeted systems. Following this, Silver Fox likely employed methods for persistence and privilege escalation, allowing them to execute further malicious activities, including the deployment of the ValleyRAT malware.

The ramifications of such a breach are significant, particularly for businesses reliant on effective endpoint security measures. As attackers increasingly turn to novel methodologies that exploit trusted components, the stakes rise for organizations that must remain vigilant in their cybersecurity efforts. The use of legitimate drivers in attacks complicates detection and response strategies, underscoring the need for enhanced monitoring and threat intelligence capabilities.

Given the sophistication of the attack and the choice of targets, often consisting of businesses operating under the radar of larger security measures, it is crucial for organizations to assess their current security posture. Regular reviews of installed drivers and vigilant monitoring for unusual kernel-level changes are essential steps to mitigate the risks associated with such vulnerabilities.

The Silver Fox exploitation case illustrates a growing trend in cyber threats where trusted infrastructure is weaponized. Business leaders must prioritize both awareness and resilience against such advanced threats to safeguard their operations and sensitive data in an ever-evolving digital landscape.

Source link

Related Posts

Ukrainian Network FDN3 Conducts Widespread Brute-Force Attacks on SSL VPN and RDP Devices

Date: Sep 02, 2025
Category: Cyber Attack / Botnet

Cybersecurity experts have identified a Ukrainian IP network engaging in extensive brute-force and password spraying campaigns against SSL VPN and RDP devices between June and July 2025. The operations are traced back to the Ukraine-based autonomous system FDN3 (AS211736), according to French cybersecurity firm Intrinsec. “We have high confidence that FDN3 is part of a larger malicious infrastructure that includes two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as a Seychelles-based system, TK-NET (AS210848),” the report stated. “All of these were allocated in August 2021 and frequently exchange IPv4 prefixes to bypass blocklisting and sustain their abusive operations.” AS61432 currently announces a single prefix, 185.156.72[.]0/24, while AS210950 has two prefixes: 45.143.201[.]0/24 and 185.193.89[.]0/24. These autonomous systems were allocated in May…

Researchers Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP Triggers for Covert Control

Sep 02, 2025 – Cyber Espionage / Network Security

Cybersecurity experts have revealed a new stealthy backdoor named MystRodX, designed to capture sensitive information from compromised systems. According to a report from QiAnXin XLab, “MystRodX is a typical backdoor developed in C++, featuring capabilities such as file management, port forwarding, reverse shell, and socket management.” The report highlights that MystRodX distinguishes itself from standard backdoors through its exceptional stealth and versatility. Also referred to as ChronosRAT, this malware was initially documented by Palo Alto Networks Unit 42 last month, linked to a threat activity cluster named CL-STA-0969, which shows connections to a China-based cyber espionage group called Liminal Panda. Its stealthy nature is enhanced by multiple layers of encryption that obscure both the source code and payloads, while its flexibility allows it to dynamically activate different functionalities based on configuration settings, including the choice between TCP or HTTP for network communication.

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Salesloft Shuts Down Drift Temporarily Following OAuth Token Theft Affecting Numerous Organizations

 
Sep 03, 2025
Data Breach / Threat Intelligence

Salesloft announced on Tuesday the temporary suspension of Drift, slated to occur “in the very near future,” due to an extensive supply chain attack impacting multiple companies. This breach has led to the widespread theft of authentication tokens linked to the marketing software-as-a-service platform. The company stated, “This action will allow us to thoroughly review the application and enhance its resilience and security before restoring full functionality.” Consequently, the Drift chatbot on customer websites will be offline, and Drift itself will not be accessible. Salesloft emphasized its commitment to preserving the integrity and security of its systems and customers’ data, collaborating with cybersecurity partners Mandiant and Coalition as part of their incident response strategy. This announcement follows a disclosure from Google Threat Intelligence Group (GTIG) and Mandiant regarding the ongoing threats.