Researchers at Check Point reported that the threat actor known as Silver Fox, also referred to as SwimSnake or UTG-Q-1000, employed a Bring Your Own Vulnerable Driver (BYOVD) technique to circumvent security defenses. The attackers deployed a Microsoft-signed driver, amsdk.sys version 1.0.600 from WatchDog Anti-malware, to disable antivirus protections before installing ValleyRAT malware. The driver had not been previously cataloged in Microsoft’s Vulnerable Driver Blocklist or in community repositories, such as LOLDrivers, making the attack especially difficult to anticipate.
The campaign is mainly aimed at Windows 10 and 11 environments, while resorting to an outdated Zemana driver for older Windows 7 machines. Victims have been identified across Asia, particularly China, though infections extend to other regions. Delivery methods include fraudulent software installers, phishing emails, and downloads promoted through SEO-poisoned downloads.
The operation utilizes a custom loader that supports two drivers, each tailored to a specific version of Windows. On current systems, the loader deploys the WatchDog driver, which enables the arbitrary termination of processes (including protected antivirus and endpoint protection services) and local privilege escalation. For older systems, a Zemana driver is substituted. Once the security protections are bypassed, the loader installs ValleyRAT, a modular backdoor, and executes various anti-analysis measures, such as detecting virtual machines and sandbox environments, to reduce the likelihood of detection during examination.
The malware forcibly terminates nearly 200 processes, including numerous security tools commonly used in Asia, leaving infected systems exposed to remote control, credential theft, persistent access, and financial exploitation. Analysts traced the command-and-control infrastructure to servers located in China, with victim organizations distributed worldwide but predominantly concentrated in Asia, especially China.
After the disclosure, WatchDog rolled out version 1.1.100, patching the privilege escalation vulnerability via stricter Discretionary Access Control Lists but leaving the arbitrary process termination flaw unresolved. Attackers rapidly adapted by modifying a single byte in the driver’s timestamp, preserving its valid Microsoft Authenticode signature while generating a new hash to evade blocklists.
This campaign demonstrates that trusted, signed drivers may be exploited by threat actors. Adversaries are increasingly leveraging previously undocumented signed components and modifying digital signatures to bypass blocklists. To address these risks, organizations are advised to implement a zero-trust policy for all drivers and deploy robust kernel-level monitoring to ensure comprehensive system oversight.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
