A threat actor known as Silver Fox has been observed leveraging a previously undocumented, signed driver associated with WatchDog Anti-malware to disable endpoint protection solutions and deploy remote access tools.
Silver Fox, also known by aliases such as SwimSnake, UTG-Q-1000, and Void Arachne, has been active since at least mid-2022. The group primarily targets Chinese-speaking victims using trojanized applications, fake AI tools, and phishing lures to distribute ValleyRAT.
The group delivers malware via platforms like WeChat, SEO-boosted search results, and phishing emails. It is believed to consist of several sub-groups Finance, News and Romance, Design and Manufacturing, and the Black Watering Hole Group. In particular, the Finance Group, has targeted enterprise financial departments through lures involving tax audits and subsidy notices, using cloud services like Alibaba OSS and Youdao to host payloads.
The driver, amsdk.sys (version 1.0.600), is a 64-bit Windows kernel device driver built on the Zemana Anti-Malware SDK. Although Microsoft-signed, the driver was not listed in the official Vulnerable Driver Blocklist nor flagged by community initiatives like LOLDrivers, note Check Point researchers who discovered the campaign.
The group used a dual-driver strategy in the campaign, deploying a known vulnerable Zemana driver (zam.exe) for Windows 7, and the WatchDog driver for newer Windows 10 and 11 systems. Both were embedded in a single self-contained loader. The attackers attempted to bypass security software to deploy further malware such as ValleyRAT (aka Winos 4.0). ValleyRAT is a modular remote access trojan previously linked to SilverFox.
“The campaign’s architecture is centered around all-in-one loader samples, which combine anti-analysis features, embedded drivers, EDR/AV killer logic, and the ValleyRAT downloader into a single binary. These loaders are tailored to function across both legacy and modern systems (Windows 7 – Windows 10/11), using two different drivers to ensure compatibility,” according to CheckPoint.
While the exact infection method remains unclear, the researchers have observed the malware being delivered via .rar archives containing either a single executable (.exe) or a dynamic-link library (.dll) that is side-loaded through a legitimate application.
Following CheckPoint’s disclosure, Watchdog released an updated version of its Antimalware driver (wamsdk.sys, version 1.1.100). This update fixed the local privilege escalation (LPE) issues, but it still allowed attackers to stop any process, including protected ones. Shortly after, the researchers found a new version of the patched driver being misused by the same APT group.
The attackers changed just one byte in the driver’s timestamp (a part of the digital signature that isn't fully verified), giving it a new hash and thus allowing the driver bypass hash-based security filters, while still appearing as a valid, signed driver in Windows.