In a quietly alarming move, the Chinese-linked Silver Fox advanced persistent threat actor has exploited a Microsoft‑signed WatchDog anti‑malware driver (amsdk.sys v1.0.600) that wasn’t flagged by Microsoft’s vulnerable-driver blocklist or community trackers like LOLDrivers, to disable protection tools on Windows 10 and 11 systems and deploy the ValleyRAT remote‑access trojan via a “bring‑your‑own‑vulnerable‑driver” (BYOVD) method. Researchers uncovered that Silver Fox uses a sophisticated loader combining anti‑analysis checks, dual‑driver tactics (leveraging an older Zemana‑based driver on Windows 7 and this WatchDog driver on newer systems), EDR/AV killer logic, and modular ValleyRAT payloads, enabling stealthy persistence and evasion. A patched version of the driver addresses privilege escalation but not arbitrary process termination, and attackers have even bypassed blocklists by slightly tweaking the driver’s hash while preserving the Microsoft digital signature.
Sources: Hacker News, CheckPoint Research, SC World
Key Takeaways
– Signed doesn’t always mean safe – Even a Microsoft-signed driver (WatchDog) can carry exploitable vulnerabilities and slip through defense filters.
– Dual-driver strategy boosts effectiveness – Silver Fox uses different drivers for legacy and modern Windows versions, wrapped in a single loader for broad compatibility and stealth.
– Evasion keeps evolving – Attackers circumvent blocklists by altering the driver hash without breaking its signature, highlighting the need for more robust detection beyond simple allow-/deny lists.
In-Depth
Silver Fox’s latest campaign underscores a worrying reality in cybersecurity: adversaries can weaponize legitimate tools against us when our systems blindly trust signed code. By exploiting a Microsoft-signed WatchDog anti-malware driver (amsdk.sys v1.0.600), which wasn’t caught by either Microsoft’s own blocklist or community trackers like LOLDrivers, Silver Fox has found a clever way into Windows 10/11 machines undetected.
Here’s how the trick works: the malware comes in a multi-purpose loader that checks whether it’s running in a sandbox or virtual machine, then quietly installs a driver—either the newly discovered WatchDog one or an older Zemana-based driver (for Windows 7 systems). Both can terminate security processes at will, smearing antivirus and endpoint defenses aside. Once that’s done, the ValleyRAT trojan gets deployed, granting remote access, data theft, or further control, depending on the attackers’ goals.
Microsoft patched the privilege escalation vulnerability in later versions of the driver, but frustratingly, the ability to terminate protected processes remains. Even more cleverly, attackers have bypassed false-positive blocks by switching just one byte in the timestamp to tweak the file hash—yet the signature still validates. That kind of subtle evasion shows just how agile these threat actors have become.
What’s the takeaway? Trust, but verify. Relying solely on signature-based trust or blocklists is no longer enough. Organizations—and even vigilant users—must layer defense: equip systems with heuristics, behavior-based detection, patch promptly, and treat any signed driver as potentially suspect until verified. In this ever-evolving threat landscape, that extra bit of cautious common sense can make a big difference.