The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.
The vulnerable driver in question is “amsdk.sys” (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that’s assessed to be built upon Zemana Anti-Malware SDK.
“This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers,” Check Point said in an analysis.
The attack is characterized by a dual-driver strategy, where a known vulnerable Zemana driver (“zam.exe”) is used for Windows 7 machines, and the undetected WatchDog driver for systems that run on Windows 10 or 11.
The WatchDog Anti-malware driver has been found to contain multiple vulnerabilities, the first and foremost being the ability to terminate arbitrary processes without verifying whether the process is running as protected (PP/PPL). It’s also susceptible to local privilege escalation, allowing an attacker to gain unrestricted access to the driver’s device.
The end goal of the campaign, first spotted by Check Point in late May 2025, is to leverage these vulnerable drivers to neutralize endpoint protection products, creating a clear path for malware deployment and persistence without triggering signature-based defenses.
As observed before, the campaign is designed to deliver ValleyRAT (aka Winos 4.0) as the final payload, providing remote access and control capabilities to the threat actor. The cybersecurity company said the attacks employ an all-in-one loader, encapsulating anti-analysis features, two embedded drivers, antivirus killer logic, and the ValleyRAT DLL downloader in one binary.
“Upon execution, the sample performs a few common anti-analysis checks, such as Anti-VM (detection of virtual environments), Anti-Sandbox (detection of execution within a sandbox), hypervisor detection, and others,” Check Point said. “If any of these checks fail, the execution is aborted, and a fake system error message is displayed.”
The downloader is designed to communicate with a command-and-control (C2) server to fetch the modular ValleyRAT backdoor onto the infected machine.
Following responsible disclosure, Watchdog has released a patch (version 1.1.100) to address the LPE risk by enforcing a strong Discretionary Access Control List (DACL). However, the arbitrary process termination issue remains an open issue. This, in turn, has had the side effect of causing the attackers to swiftly adapt and incorporate the modified version by altering just a single byte without invalidating Microsoft’s signature.
“By flipping a single byte in the unauthenticated timestamp field, they preserved the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists,” Check Point noted. “This subtle yet efficient evasion technique mirrors patterns seen in earlier campaigns.”
“This campaign demonstrates how threat actors are moving beyond known weaknesses to weaponize unknown, signed drivers—a blind spot for many defense mechanisms. The exploitation of a Microsoft-signed, previously unclassified vulnerable driver, combined with evasive techniques such as signature manipulation, represents a sophisticated and evolving threat.”
Silver Fox, also called SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, is assessed to be highly active since early last year, primarily targeting Chinese-speaking victims using fake websites masquerading as Google Chrome, Telegram, and artificial intelligence (AI)-powered tools like DeepSeek to distribute remote access trojans like ValleyRAT.
According to Chinese cybersecurity vendor Antiy, the hacking group is believed to have been around since the second half of 2022, targeting domestic users and companies in a bid to steal secrets and defraud them.
“The cybercriminal group mainly spreads malicious files through instant messaging software (WeChat, Enterprise WeChat, etc. ), search engine SEO promotion, phishing emails, etc.,” the company said. “The ‘SwimSnake’ cybercriminal group is still frequently updating malware and AV evasion methods.”
The attacks employ trojanized versions of open-source software, malicious programs built using the Qt framework, or MSI installers disguised as Youdao, Sogou AI, WPS Office, and DeepSeek to serve Valley RAT, including its online module that can capture screenshots of WeChat and online banks.
The development comes as QiAnXin also detailed a separate campaign mounted by the “Finance Group” within Silver Fox that targets financial personnel and managers of enterprises and institutions, aiming to plunder sensitive financial information or directly profit through fraud.
These attacks leverage phishing lures related to tax audits, electronic invoices, subsidy announcements, and personnel transfers to deceive users into running remote access trojans, while relying on legitimate cloud services such as Alibaba Cloud OSS and Youdao Cloud Notes to host malicious payloads in an attempt to sidestep detection.
The Finance Group is one of the four sub-clusters that are part of Silver Fox, the other three being the News and Romance Group, the Design and Manufacturing Group, and the Black Watering Hole Group.
Interestingly, after the Finance Group gains control of a victim’s computer through methods like watering hole attacks and phishing, they take over the victim’s social media accounts and leverage them to send phishing QR codes to various WeChat group chats with the goal of harvesting bank account numbers and passwords from group members, ultimately draining funds from their bank accounts for profit.
“UTG-Q-1000 is one of the most active and aggressive cybercrime groups in China in recent years. Their operations are highly organized, technically sophisticated, and financially motivated,” QiAnXin said. “They’ve established a complete black-market profit chain involving: espionage (data theft), remote control via malware, and financial fraud and phishing.”
