Tag Windows

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Distribute ValleyRAT Malware

Date: September 2, 2025
Categories: Financial Fraud / Endpoint Protection

The threat actor known as Silver Fox has been linked to the exploitation of a previously undetected vulnerable driver associated with WatchDog Anti-malware. This attack, classified as a Bring Your Own Vulnerable Driver (BYOVD) incident, aims to neutralize security solutions on compromised systems.

The specific driver involved, “amsdk.sys” (version 1.0.600), is a 64-bit, validly signed Windows kernel device driver believed to be based on the Zemana Anti-Malware SDK. According to an analysis by Check Point, “This driver, created using the Zemana Anti-Malware SDK, was Microsoft-signed, not included in the Microsoft Vulnerable Driver Blocklist, and evaded detection by community initiatives such as LOLDrivers.”

The attack employs a dual-driver approach, utilizing a known vulnerable Zemana driver (“zam.exe”) for Windows 7 systems, while leveraging the undetected WatchDog driver for Windows 10 and 11 environments. The WatchDog Anti-malware driver has been identified as containing multiple vulnerabilities.

Silver Fox Exploits Microsoft-Signed WatchDog Driver for ValleyRAT Malware Deployment In a concerning development within the cybersecurity landscape, the threat actor operating under the alias Silver Fox has been linked to the exploitation of an undisclosed vulnerable driver associated with WatchDog Anti-malware. This activity represents a sophisticated Bring Your Own…

Read More

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Distribute ValleyRAT Malware

Date: September 2, 2025
Categories: Financial Fraud / Endpoint Protection

The threat actor known as Silver Fox has been linked to the exploitation of a previously undetected vulnerable driver associated with WatchDog Anti-malware. This attack, classified as a Bring Your Own Vulnerable Driver (BYOVD) incident, aims to neutralize security solutions on compromised systems.

The specific driver involved, “amsdk.sys” (version 1.0.600), is a 64-bit, validly signed Windows kernel device driver believed to be based on the Zemana Anti-Malware SDK. According to an analysis by Check Point, “This driver, created using the Zemana Anti-Malware SDK, was Microsoft-signed, not included in the Microsoft Vulnerable Driver Blocklist, and evaded detection by community initiatives such as LOLDrivers.”

The attack employs a dual-driver approach, utilizing a known vulnerable Zemana driver (“zam.exe”) for Windows 7 systems, while leveraging the undetected WatchDog driver for Windows 10 and 11 environments. The WatchDog Anti-malware driver has been identified as containing multiple vulnerabilities.

“Noisy Bear Campaign Disguised as Phishing Test Revealed Targeting Kazakhstan’s Energy Sector”

Sep 06, 2025 – Malware / Cyber Espionage

A suspected Russian threat actor is behind a series of attacks aimed at Kazakhstan’s energy sector, identified as Operation BarrelFire by Seqrite Labs, which tracks the group as Noisy Bear. Active since at least April 2025, the campaign specifically targets employees of KazMunaiGas (KMG). The attackers delivered a counterfeit document purporting to be from the KMG IT department, mimicking legitimate internal communications and addressing topics like policy updates, certification processes, and salary adjustments. According to security researcher Subhajeet Singha, the infection process starts with a phishing email containing a ZIP file that includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions in both Russian and Kazakh to execute a program named “KazMunayGaz_Viewer.”

Noisy Bear Campaign: Phishing Test Unveiled in Kazakhstan’s Energy Sector On September 6, 2025, cybersecurity experts revealed that a series of attacks targeting Kazakhstan’s energy sector has been linked to a threat actor possibly originating from Russia. This campaign, dubbed Operation BarrelFire, is attributed to a new group identified by…

Read More

“Noisy Bear Campaign Disguised as Phishing Test Revealed Targeting Kazakhstan’s Energy Sector”

Sep 06, 2025 – Malware / Cyber Espionage

A suspected Russian threat actor is behind a series of attacks aimed at Kazakhstan’s energy sector, identified as Operation BarrelFire by Seqrite Labs, which tracks the group as Noisy Bear. Active since at least April 2025, the campaign specifically targets employees of KazMunaiGas (KMG). The attackers delivered a counterfeit document purporting to be from the KMG IT department, mimicking legitimate internal communications and addressing topics like policy updates, certification processes, and salary adjustments. According to security researcher Subhajeet Singha, the infection process starts with a phishing email containing a ZIP file that includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions in both Russian and Kazakh to execute a program named “KazMunayGaz_Viewer.”

New Windows Vulnerability Exposes Devices to Rootkit Installation by Hackers

New Microsoft Windows Vulnerability Could Enable Rootkit Installation by Hackers September 23, 2021 Security researchers have identified a critical vulnerability in the Microsoft Windows Platform Binary Table (WPBT) that poses risks to all devices operating on Windows since the release of Windows 8. This unpatched flaw could allow attackers to…

Read More

New Windows Vulnerability Exposes Devices to Rootkit Installation by Hackers

Iranian Hackers Disrupt Operations at Key U.S. Infrastructure Sites

Iranian Hackers Targeting US Critical Infrastructure Amid Ongoing Tensions Recent reports indicate that hackers tied to the Iranian government are actively disrupting operations at various critical infrastructure sites across the United States. This disruption appears to be a reaction to the heightened geopolitical conflict between Iran and the U.S., as…

Read MoreIranian Hackers Disrupt Operations at Key U.S. Infrastructure Sites

Unresolved Unauthorized File Read Vulnerability Impacts Microsoft Windows OS

On November 30, 2021, it was reported that unofficial patches have been released to address a poorly patched Windows security flaw which poses risks for information disclosure and local privilege escalation (LPE) on affected systems. Identified as CVE-2021-24084 (CVSS score: 5.5), this vulnerability is linked to the Windows Mobile Device Management component, potentially allowing attackers to gain unauthorized access to the file system and read arbitrary files. Security researcher Abdelhamid Naceri discovered and reported the issue in October 2020, leading Microsoft to include it in their February 2021 Patch Tuesday updates. However, as noted by Naceri in June 2021, the patch can be bypassed, and it has also been found that the inadequately addressed vulnerability enables attackers to gain administrator privileges and execute malicious code on Windows 10 systems.

Unpatched Unauthorized File Read Vulnerability Exposes Microsoft Windows OS Published: November 30, 2021 A security vulnerability affecting Microsoft Windows operating systems has come to light, revealing potential risks for data disclosure and local privilege escalation. This flaw, identified as CVE-2021-24084 and assigned a CVSS score of 5.5, pertains specifically to…

Read More

Unresolved Unauthorized File Read Vulnerability Impacts Microsoft Windows OS

On November 30, 2021, it was reported that unofficial patches have been released to address a poorly patched Windows security flaw which poses risks for information disclosure and local privilege escalation (LPE) on affected systems. Identified as CVE-2021-24084 (CVSS score: 5.5), this vulnerability is linked to the Windows Mobile Device Management component, potentially allowing attackers to gain unauthorized access to the file system and read arbitrary files. Security researcher Abdelhamid Naceri discovered and reported the issue in October 2020, leading Microsoft to include it in their February 2021 Patch Tuesday updates. However, as noted by Naceri in June 2021, the patch can be bypassed, and it has also been found that the inadequately addressed vulnerability enables attackers to gain administrator privileges and execute malicious code on Windows 10 systems.

StoneDrill Disk Wiping Malware Discovered Targeting European Industries

A newly identified disk-wiping malware known as StoneDrill has emerged, targeting a petroleum company in Europe. This malware bears similarities to the infamous Shamoon, which notoriously deleted data from 35,000 computers at Saudi Arabia’s national oil company back in 2012. Disk-wiping malware like StoneDrill can inflict severe damage on organizations…

Read MoreStoneDrill Disk Wiping Malware Discovered Targeting European Industries

Samba Releases Security Updates to Address Several High-Severity Vulnerabilities

The open-source software suite Samba has issued critical updates to address several high-severity vulnerabilities that pose significant risks to system security. If exploited, these flaws could allow unauthorized users to gain control over the affected systems. The vulnerabilities, identified as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in the…

Read MoreSamba Releases Security Updates to Address Several High-Severity Vulnerabilities

Caution: Virus Alert on Windows, MacOS, and Linux Spreading via Facebook Messenger

### Recent Facebook Messenger Malware Campaign A concerning cybersecurity threat has emerged within Facebook Messenger, where users are encountering deceptive video links purportedly sent by friends, which can lead to malicious software installations. Researchers at Kaspersky Lab have uncovered a cross-platform malware campaign targeting users through these seemingly innocuous links.…

Read MoreCaution: Virus Alert on Windows, MacOS, and Linux Spreading via Facebook Messenger