{
	"id": "06f45cb7-8a91-4607-a013-dcd7c8b0a614",
	"created_at": "2026-04-06T00:20:12.992864Z",
	"updated_at": "2026-04-10T03:32:46.264886Z",
	"deleted_at": null,
	"sha1_hash": "7d9480867e368d93f06570a95981fefd4232ce38",
	"title": "Chasing the Silver Fox: Cat \u0026 Mouse in Kernel Shadows - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 205572,
	"plain_text": "Chasing the Silver Fox: Cat \u0026 Mouse in Kernel Shadows - Check\r\nPoint Research\r\nBy shlomoo@checkpoint.com\r\nPublished: 2025-08-28 · Archived: 2026-04-05 13:25:28 UTC\r\nHighlights:\r\nCheck Point Research (CPR) uncovered an ongoing in-the-wild campaign attributed to the Silver Fox\r\nAPT which involves the abuse of a previously unknown vulnerable driver,  amsdk.sys  (WatchDog\r\nAntimalware, version 1.0.600). This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects\r\nlike LOLDrivers.\r\nThe attackers leveraged this unknown vulnerable driver to terminate protected processes (PP/PPL)\r\nassociated with modern security solutions, allowing EDR/AV evasion on fully updated Windows 10 and 11\r\nsystems without triggering signature-based defenses.\r\nA dual-driver strategy was employed to ensure compatibility across Windows versions: a known\r\nvulnerable Zemana driver for legacy systems, and the undetected WatchDog driver for modern\r\nenvironments. Both were embedded in a single self-contained loader which also included anti-analysis\r\nlayers and the ValleyRAT downloader.\r\nFollowing CPR’s disclosure, the vendor released a patched driver ( wamsdk.sys , version 1.1.100).\r\nAlthough we promptly reported that the patch did not fully mitigate the arbitrary process termination\r\nissue, the attackers quickly adapted and incorporated a modified version of the patched driver into the\r\nongoing campaign. By flipping a single byte in the unauthenticated timestamp field, they preserved the\r\ndriver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based\r\nblocklists. This subtle yet efficient evasion technique mirrors patterns seen in earlier campaigns.\r\nThe final payload delivered in all observed samples was ValleyRAT, a modular Remote Access Trojan\r\nattributed to the Silver Fox APT with infrastructure located in China.\r\nThis campaign highlights a growing trend of weaponizing signed-but-vulnerable drivers to bypass\r\nendpoint protections and evade static detection.\r\nIntroduction\r\nWhile Microsoft Windows has steadily strengthened its security model—through features like Protected Processes\r\n(PP/PPL) and enhanced driver verification—threat actors have adapted by shifting their tactics to exploit lower-level weaknesses that bypass these protections without triggering defenses. Among the most effective of these\r\ntechniques is the abuse of vulnerable kernel-mode drivers, particularly those capable of arbitrary process\r\ntermination. These drivers, when exploited, can disable or neutralize endpoint protection products, creating a clear\r\npath for malware deployment and persistence.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 1 of 25\n\nIn this publication, we present our findings on a recently detected in-the-wild (ITW) campaign that leverages such\r\na driver-based evasion technique. At the center of this operation is the Silver Fox APT, which used an unknown-to-be-vulnerable WatchDog Antimalware driver, ( amsdk.sys , version 1.0.600), to terminate processes\r\nassociated with security solutions and facilitate the delivery of the ValleyRAT backdoor. This driver, although\r\nbuilt upon the same SDK (Zemana Anti-Malware SDK) as previously known vulnerable components, was not\r\nclassified as vulnerable, was signed by Microsoft, and not detected by Microsoft’s Vulnerable Driver Blocklist or\r\ncommunity-driven sources like the LOLDrivers database.\r\nOur research builds upon the vulnerable driver detection methodology we published in 2024, where we identified\r\nthousands of at-risk drivers, including those used in security solutions. One of the previously reported drivers\r\nfrom that research, the WatchDog Antimalware driver, is now confirmed as abused ITW in this campaign. The\r\nattackers used this driver to disable core EDR (Endpoint Detection and Response) and antivirus protections before\r\ndelivering their final payload: ValleyRAT, a modular backdoor attributed to Silver Fox APT, with infrastructure\r\nlocated in China.\r\nThe campaign’s architecture is centered around all-in-one loader samples, which combine anti-analysis features,\r\nembedded drivers, EDR/AV killer logic, and the ValleyRAT downloader into a single binary. These loaders are\r\ntailored to function across both legacy and modern systems (Windows 7 – Windows 10/11), using two different\r\ndrivers to ensure compatibility. While one of the drivers—a legacy Zemana-based driver ( ZAM.exe )—is already\r\nknown and blocked, the second driver used in modern environments was previously unknown and therefore\r\nremained undetected.\r\nWe provide a comprehensive analysis of the observed campaign, detailing how the attackers:\r\nExploited vulnerable drivers to terminate protected processes and bypass OS-level protections.\r\nDelivered multi-stage payloads using sophisticated loader construction.\r\nLeveraged a Microsoft-signed driver to evade trust-based detection mechanisms.\r\nModified a patched version of the driver to avoid hash-based detection, without breaking digital signature\r\nvalidity.\r\nUltimately delivered ValleyRAT as the final payload, providing remote access and control capabilities.\r\nIn addition, we discuss the implications of signed-but-exploitable drivers and the broader risks posed by attackers\r\nleveraging modified versions of previously patched components. We reported all relevant findings to Microsoft’s\r\nMSRC and the Watchdog company, resulting in partial mitigations but the campaign continues to evolve.\r\nBackground \u0026 Key Findings\r\nIn late May 2025, we observed an ITW attack attributed to the Silver Fox APT group which targeted Windows\r\nsystems with a custom loader designed to abuse kernel drivers to terminate security-related processes. The\r\ncampaign marked a significant shift from using only known vulnerable drivers to deploying a previously\r\nunclassified, signed vulnerable driver that bypassed traditional detection mechanisms.\r\nThe abuse focused on two drivers, both derived from the Zemana Anti-Malware SDK. The first, Advanced\r\nMalware Protection driver ( ZAM.exe , version 3.0.0.000), is long known for its weaknesses and is blocked by the\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 2 of 25\n\nMicrosoft Vulnerable Driver Blocklist. Its inclusion in the campaign served compatibility purposes for older\r\nsystems like Windows 7.\r\nMore critically, the attackers deployed WatchDog Antimalware driver ( amsdk.sys , version 1.0.600), which\r\ndespite sharing the same SDK foundation, was not publicly known to be vulnerable, not on any blocklist, and\r\nwas signed by Microsoft—enabling it to be loaded even on fully updated Windows 10/11 systems.\r\nThese drivers facilitated arbitrary process termination, including processes running under PP/PPL protection,\r\nwhich enabled the campaign’s custom EDR/AV killer logic to disable a wide range of security solutions.\r\nEach malware sample we analyzed was a self-contained all-in-one loader, composed of:\r\nLoader stub with an anti-analysis and persistence setup.\r\nTwo embedded vulnerable drivers.\r\nCustom logic for terminating security processes based on a hardcoded list.\r\nA ValleyRAT downloader module configured to fetch and install the final payload.\r\nThroughout the short monitoring window, we observed the campaign evolve to include multiple variants of these\r\nloaders and driver combinations. Some samples integrated new drivers still not known to be vulnerable,\r\nsuggesting an ongoing effort to evade detections and bypass updated defenses.\r\nFollowing our disclosure, Watchdog company released a patched version of the WatchDog Antimalware driver\r\n( wamsdk.sys , version 1.1.100). While this patch mitigated local privilege escalation (LPE) vectors, the updated\r\ndriver still allowed arbitrary process termination, including protected processes, thereby failing to fully close\r\nthe original attack vector. We disclosed this remaining issue to the vendor.\r\nSoon afterwards, we identified a new sample abusing a modified version of the patched driver, once again\r\nattributed to the same APT group. The attackers altered a single byte in the unauthenticated timestamp field of\r\nthe driver’s Microsoft Authenticode signature. Because this field is not covered by the main signature digest, the\r\ndriver remained validly signed and trusted by Windows, while presenting a new file hash and therefore bypassing\r\nhash-based blocklists. This subtle yet powerful evasion technique mirrors those seen in our earlier publication on\r\nlarge-scale legacy driver exploitation.\r\nThe final payload across all samples was ValleyRAT, also known as “Winos”. This RAT offers a full set of\r\ncapabilities for remote surveillance, command execution, and data exfiltration. Its use, along with infrastructure\r\nhosted in China and targeted security process lists aligned with East Asian vendors, confirms the campaign’s\r\nattribution to Silver Fox APT.\r\nThis campaign demonstrates how threat actors are moving beyond known weaknesses to weaponize unknown,\r\nsigned drivers—a blind spot for many defense mechanisms. The exploitation of a Microsoft-signed, previously\r\nunclassified vulnerable driver, combined with evasive techniques such as signature manipulation, represents a\r\nsophisticated and evolving threat. Despite some mitigations by the vendor, the attacker’s ability to quickly adapt—\r\nevidenced by the use of altered but validly signed driver variants—highlights the need for proactive, behavior-based detection methods and deeper scrutiny of signed kernel-mode drivers.\r\nInfrastructure \u0026 Victimology\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 3 of 25\n\nAll detected command-and-control (C2) servers used in the final stage of the attack, specifically for deploying the\r\nValleyRAT backdoor, are hosted within China, often leveraging public cloud or web services.\r\nThe victimology suggests a globally distributed targeting pattern. In most observed cases, the malware is delivered\r\nvia  .rar  archives containing either a single executable ( .exe ) or a dynamic-link library ( .dll ) that is side-loaded through a legitimate application. The exact infection vector remains unidentified.\r\nAs detailed in Appendix A – List of Processes to be Terminated, the malware is configured to terminate\r\nprocesses associated with security and antivirus solutions commonly used in China. Combined with the\r\ngeographic location of the C2 infrastructure, this strongly suggests that the primary targets are located in Asia,\r\nparticularly within China.\r\nTechnical Analysis: All-In-One Loader\r\nAll samples we analyzed were deployed as self-contained, all-in-one loaders. The loader is composed of several\r\nparts, each with a specific role:\r\nThe loader stub – Implements anti-analysis techniques and sets up persistence.\r\nTwo embedded vulnerable drivers – Abused for arbitrary process termination.\r\nEDR/AV killer logic – Targets and disables security processes.\r\nValleyRAT downloader module and configuration – Fetches and executes the final payload.\r\nIn most cases (~75 % of detected samples) these loaders are not packed. Occasionally, however, the attackers use\r\nunaltered versions of common public packers, such as UPX.\r\nOne such example is a 64-bit, UPX-packed PE with the internal name  Runtime Broker . The sample retains its\r\noriginal compilation timestamp, 2025-06-03 06:38:30 UTC, roughly two weeks after we first observed the\r\ncampaign in the wild.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 4 of 25\n\nFigure 1: The all-in-one self-contained loader – UPX-packed, 64-bit PE.\r\nAnti-analysis Techniques\r\nUpon execution, the sample performs a few common anti-analysis checks, such as Anti-VM (detection of virtual\r\nenvironments), Anti-Sandbox (detection of execution within a sandbox), hypervisor detection, and others. If any\r\nof these checks fail, the execution is aborted, and a fake system error message is displayed.\r\nFigure 2: Anti-VM - CPU vendor check.\r\nFigure 2: Anti-VM – CPU vendor check.\r\nThe virtual environment and hypervisor detection routines include a defined exclusion that allows execution to\r\ncontinue if the computer name is set to any of the following values:  DESKTOP-T3N3M3Q ,  DESKTOP-03AMF90 ,\r\nor  WIN-VMHH95J6C26 . We believe this exclusion is intended to prevent execution from being aborted on systems\r\nused by the attackers during malware development.\r\nWe observed that some of the detected samples include an additional anti-analysis check using the public\r\nservice  http[://]ip-api[.]com/json . This service is used to retrieve information about the infected machine’s\r\npublic IP address, including the ISP (Internet Service Provider) and ORG (Organization) fields.\r\nIf the ISP or ORG values match any entry from a predefined list (shown in the table below), the process is\r\nterminated, and a fake error message, “The program does not support your configuration.”, is displayed.\r\nDetected ISP + ORG\r\nMicrosoft Corporation\r\nBeijing Qihu Technology Company Limited\r\nGoogle LLC\r\nGoogle Cloud (asia-northeast1)\r\nPersistence Settings\r\nTo establish persistence, the loader creates a folder named  RunTime  under the system path  C:\\Program\r\nFiles\\RunTime . The all-in-one loader sample and the appropriate version of the vulnerable driver—selected based\r\non the infected system’s Windows OS version—are dropped into this folder with the\r\nfilenames  RuntimeBroker.exe  and  Amsdk_Service.sys , respectively.\r\nFigure 3: Persistence settings - Dropping files to the created “RunTime” folder.\r\nFigure 3: Persistence settings – Dropping files to the created “RunTime” folder.\r\nSubsequently, specific services are created to ensure the dropped files are executed automatically on system\r\nstartup. The service named  Termaintor  is responsible for maintaining persistence for the previously dropped\r\ncopy of the all-in-one loader ( RuntimeBroker.exe ).\r\nFigure 4: The creation of the “Termaintor” service.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 5 of 25\n\nFigure 4: The creation of the “Termaintor” service.\r\nThe second created service,  Amsdk_Service , is simply a configured registry key required to load the dropped\r\nvulnerable driver.\r\nWe believe the name  Termaintor  is a deliberate typographical error and also a possible indication that the\r\nEDR/AV killer logic was inspired by the publicly available PoC—a tool named “Terminator” that abuses the\r\nknown vulnerable Zemana Anti-Malware driver.\r\nEmbedded Payloads\r\nWhile most globally defined strings in the analyzed sample are simply Base64-encoded, the embedded payloads\r\nuse a combination of hexadecimal encoding and Base64. These payloads are embedded directly as encoded byte\r\nstrings within the  .rdata  section of the binary.\r\nFigure 5: The encoded embedded payloads.\r\nFigure 5: The encoded embedded payloads.\r\nTwo of the encoded payloads are different vulnerable drivers used by the EDR/AV killer logic. Only one of them\r\nis deployed on the infected system, depending on the detected Windows version.\r\nThe older driver is a 64-bit, validly signed Advanced Malware Protection driver,  ZAM.exe , version 3.0.0.000.\r\nThis driver is already known to be vulnerable and is detected by both LOLDrivers and the Microsoft Vulnerable\r\nDriver Blocklist. It is used only if the infected system is running an older version of Windows (e.g., Windows\r\n7).\r\nThe newer driver is a 64-bit, validly signed WatchDog Antimalware driver,  amsdk.sys , version 1.0.600. This\r\ndriver was not previously known to be vulnerable and bypasses both LOLDrivers and Microsoft’s blocklist. It is\r\nused only if the infected system is running a modern version of Windows (e.g., Windows 10 or 11).\r\nThe final embedded payload is the encoded ValleyRAT downloader module, including its hardcoded\r\nconfiguration.\r\nValleyRAT Downloader\r\nAs previously mentioned, the ValleyRAT downloader stage is embedded within the all-in-one loaders in an\r\nencoded format combining Base64 and hexadecimal string. Once decoded, it results in a 64-bit, UPX-packed DLL\r\nthat is converted into shellcode. This shellcode includes a stub responsible for in-memory reflective loading and is\r\ninjected into an already running process, typically an instance of  svchost.exe .\r\nThe internal name of the DLL,  上线模块.dll  (translated as “Online module.dll”), is preserved in the Export\r\nDirectory, along with three exported functions:  load ,  run , and a second  run .\r\nFigure 6: The Export Directory of the ValleyRAT downloader DLL.\r\nFigure 6: The Export Directory of the ValleyRAT downloader DLL.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 6 of 25\n\nThe exported functions provide alternative entry points for executing and loading the DLL, such as using a\r\ncustom-supplied configuration instead of the hardcoded one, while ultimately triggering the same core logic as\r\nthe  DllMain  function.\r\nFigure 7: The exported functions of the ValleyRAT downloader DLL.\r\nFigure 7: The exported functions of the ValleyRAT downloader DLL.\r\nThe C2 servers are defined in the embedded configuration. Notably, both the IP addresses and ports are stored in\r\nreverse order. For example:  156[.]234[.]58[.]194:52110  and  156[.]234[.]58[.]194:52111 .\r\nFigure 8: The ValleyRAT downloader - Embedded configuration.\r\nFigure 8: The ValleyRAT downloader – Embedded configuration.\r\nThe communication between the ValleyRAT downloader and the C2 servers is encrypted using a simple XOR\r\ncipher with the key  363636003797e4383a36 . After decrypting the traffic, we found that the downloaded content\r\nincludes the final payload: the ValleyRAT backdoor (also known as Winos).\r\nFigure 9: The ValleyRAT downloader - Decrypted C2 traffic.\r\nFigure 9: The ValleyRAT downloader – Decrypted C2 traffic.\r\nTechnical Analysis: EDR/AV Killer\r\nThe EDR/AV killer routine is embedded directly within the all-in-one loaders.\r\nInitially, depending on the Windows version of the infected system, one of the two embedded vulnerable drivers is\r\ndropped. As both drivers are based on the Zemana Anti-Malware SDK, the exploitation logic remains the same\r\ni.e. abusing their ability to terminate arbitrary processes.\r\nThe figure below shows the routine responsible for creating the service required to load the vulnerable driver.\r\nSpecifically, the service  Amsdk_Service  (of type  SERVICE_KERNEL_DRIVER ) is created using the Windows API\r\nfunctions  RegCreateKeyW  and  RegSetValueExW , followed by a call to the NT API  NtLoadDriver  to initiate the\r\ndriver loading process.\r\nFigure 10: The vulnerable driver loading process.\r\nFigure 10: The vulnerable driver loading process.\r\nOnce the driver is loaded, its created device  amsdk  is opened to enable communication with the driver, which is\r\nlater used in the main EDR/AV killing routine ( KillEDRMain  function).\r\nFigure 11: Opening the “amsdk” device of the abused driver.\r\nFigure 11: Opening the “amsdk” device of the abused driver.\r\nThe core EDR/AV killer logic, implemented in the  KillEDRMain  function, iterates over a Base64-encoded list of\r\ntarget processes to be terminated. This list, defined as  TERMINATE_PROCESS_LIST , contains 192 unique process\r\nnames (see Appendix A – List of Processes to be Terminated). When any of the listed processes is found\r\nrunning on the system, it is terminated by issuing a sequence of\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 7 of 25\n\nIOCTLs,  0x80002010  ( IOCTL_REGISTER_PROCESS ) followed by  0x80002048  ( IOCTL_TERMINATE_PROCESS ), via\r\nthe Windows API function  DeviceIoControl  that communicates directly with the driver’s device.\r\nFigure 12: EDR/AV killer logic - Process termination.\r\nFigure 12: EDR/AV killer logic – Process termination.\r\nWe provide further details about the drivers abused in this campaign, including descriptions of the vulnerabilities,\r\ntheir impact, and example PoC code, in the following section.\r\nTechnical Analysis: New Vulnerable Driver\r\nWhile the all-in-one loaders described in the previous section can abuse two versions of vulnerable drivers\r\n(depending on the targeted Windows system version), both are based on the Zemana Anti-Malware SDK. In this\r\nsection, we shift our focus to the one not previously known to be vulnerable, despite its exploitation and impact\r\nbeing almost identical to the known variant.\r\nAs mentioned earlier, the abused driver, WatchDog Antimalware driver version 1.0.600, is a 64-bit, validly\r\nsigned Windows kernel device driver. It is still actively used and was originally part of the Watchdog Anti-Malware product.\r\nFigure 13: Vulnerable valid-signed WatchDog Antimalware Driver.\r\nFigure 13: Vulnerable valid-signed WatchDog Antimalware Driver.\r\nEven though the internal name is  amsdk.sys , the original PDB path still references  zam64.pdb , suggesting\r\nreuse of the Zemana Anti-Malware SDK.\r\nFigure 14: PDB path of the WatchDog Antimalware Driver.\r\nFigure 14: PDB path of the WatchDog Antimalware Driver.\r\nWe confirmed that the WatchDog Antimalware driver is indeed based on the Zemana Anti-Malware SDK through\r\na detailed inspection of its code. Some parts of the code (not just the metadata of the compiled PE) were changed\r\nby the WatchDog Antimalware developers, particularly those responsible for the driver’s device creation. These\r\nchanges were likely made in response to the well-known vulnerabilities affecting drivers derived from the Zemana\r\nAnti-Malware SDK. In fact, there are publicly available PoCs (for over two years) exploiting “Zemana” drivers as\r\nEDR/AV killing tools, such as Terminator.\r\nAs this driver is signed by Microsoft (Microsoft Windows Hardware Compatibility Publisher), it can be loaded\r\nand used even on the latest fully updated Windows 10/11 systems. In addition, due to the diversity of the\r\nWatchDog Antimalware driver, common detection and prevention mechanisms, such as LOLDrivers and\r\nthe Microsoft Vulnerable Driver Blocklist which cover “Zemana” drivers, are ineffective against the WatchDog\r\nAntimalware driver. As a result, there is no obstacle to its use.\r\nDespite modifications to the codebase intended to mitigate known vulnerabilities in “Zemana” drivers, the\r\nWatchDog Antimalware driver remains vulnerable with similar impacts, including LPE, unrestricted raw disk\r\nread/write access, arbitrary process termination, and more.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 8 of 25\n\nVulnerability Description\nThere are multiple vulnerabilities affecting the WatchDog Antimalware driver. First, the driver can terminate\narbitrary processes without verifying whether the process is running as protected (PP/PPL), which is common for\nAnti-Malware services. As a result, it is a convenient candidate for the BYOVD (Bring Your Own Vulnerable\nDriver) technique where it is abused as an EDR/AV killer.\nBYOVD attacks are not usually considered vulnerabilities in the traditional sense, as the attacker must first deploy\nand load the vulnerable driver on the targeted system. These are procedures that require Administrator privileges\n(elevation from Administrator to System does not cross a security boundary). However, if the driver is already\npresent on the targeted system (e.g., as part of the Watchdog Anti-Malware product), even a non-privileged user\ncan abuse it to disable security solutions.\nA more critical driver vulnerability is its ability to cross the security boundary from a non-privileged user to\nSystem, resulting directly in LPE (Local Privilege Escalation). The root cause lies in the routine responsible for\nthe driver’s device creation.\nIoCreateDeviceSecure , a more secure kernel function than IoCreateDevice because it lets you specify a\nDACL, is used. A strong DACL is set on the created device via the SDDL string D:P(A;;GA;;;SY)(A;;GA;;;BA) ,\ngranting access only to System and Administrators, but the DeviceCharacteristics do not explicitly include\nthe FILE_DEVICE_SECURE_OPEN flag. Without this flag as part of the device characteristics, the strong DACL does\nnot apply to the entire device namespace, allowing even non-privileged users to communicate with the device.\nExplanation – Device Namespace \u0026 FILE_DEVICE_SECURE_OPEN\nEvery device has its own namespace, where names in the namespace are paths that begin with the device´s name.\nFor a device named \\Device\\DeviceName , its namespace consists of any name with the\nform \\Device\\DeviceName\\anyfile . The lack of the FILE_DEVICE_SECURE_OPEN flag can be abused to obtain a\nfull access handle to the device itself, even by a non-privileged user, because the strong DACL is not propagated\nto the namespace, e.g., opening a handle to \\Device\\DeviceName\\anyfile will return a handle for the device\nitself \\Device\\DeviceName .\nBelow, we can see the driver´s initialization routine, where the device object is created with a strong DACL, but\nwithout the FILE_DEVICE_SECURE_OPEN characteristics flag.\nFigure 15: Driver initialization - Device creation.\n\nThe converted DACL, part of the\nSDDL string:\nFigure 15: Driver initialization – Device creation.\nThe converted DACL, part of the SDDL string:\nFigure 16: Converted SDDL string - Strong DACL.\nFigure 16: Converted SDDL string – Strong DACL.\nBy combining unrestricted access to the driver’s device with its ability to perform privileged operations, all of the\npreviously described vulnerabilities can be exploited. These capabilities of the WatchDog Antimalware driver are\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\nPage 9 of 25\n\ntriggered by issuing specific IOCTLs during communication with the device.\r\nThe most critical examples are summarized in the table below:\r\nIOCTL Name\r\nIOCTL\r\nCode\r\nMeaning + Impact\r\nIOCTL_REGISTER_PROCESS 0x80002010 Process registration – Mitigation bypass\r\nIOCTL_OPEN_PROCESS 0x8000204C\r\nObtain full access process´ handle –\r\nLPE\r\nIOCTL_TERMINATE_PROCESS 0x80002048\r\nArbitrary process termination –\r\nDisabling EDR/AV\r\nIOCTL_SCSI_READ 0x80002014 Unrestricted raw disk read\r\nIOCTL_SCSI_WRITE 0x80002018 Unrestricted raw disk write\r\nBelow is a simplified view of the  DispatchDeviceControl  callback function, which is responsible for handling\r\nIOCTL requests and executing the corresponding routines.\r\nFigure 17: DispatchDeviceControl callback function - Handling IOCTL requests.\r\nFigure 17: DispatchDeviceControl callback function – Handling IOCTL requests.\r\nThe arbitrary process termination capability, abused by the threat actor in the campaign we describe here, is\r\ntriggered via the IOCTL  0x80002048  ( IOCTL_TERMINATE_PROCESS ), which directly invokes\r\nthe  TerminateProcessById  function. Notably, before this action, the attacker-controlled process must first\r\nregister itself (be added to the allowlist to bypass mitigation) by issuing\r\nIOCTL  0x80002010  ( IOCTL_REGISTER_PROCESS ).\r\nThe  TerminateProcessById  function blocks termination only if the target process is marked as critical (to\r\nprevent a system crash). However, it does not handle protected processes (PP/PPL), which are typically used by\r\nanti-malware services. As a result, security solution processes can be freely terminated.\r\nFigure 18: The logic of TerminateProcessById function.\r\nFigure 18: The logic of TerminateProcessById function.\r\nThe PoC demonstrating the driver’s arbitrary process termination capability is relatively simple and the exploit\r\ncan be implemented as follows:\r\n#define IOCTL_REGISTER_PROCESS 0x80002010\r\n#define IOCTL_TERMINATE_PROCESS 0x80002048\r\n// Loading the amsdk.sys driver\r\nDWORD pidTerminate = 1337; // Pid of process to be killed, PP/PPL processes possible\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 10 of 25\n\nDWORD pidRegister = GetCurrentProcessId();\r\nHANDLE hDevice = CreateFileA(\"\\\\\\\\.\\\\amsdk\\\\anyfile\", GENERIC_READ | GENERIC_WRITE, NULL,\r\nNULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);\r\nDeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, \u0026pidRegister, sizeof(pidRegister), NULL, 0, NULL,\r\nNULL);\r\nDeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, \u0026pidTerminate, sizeof(pidTerminate), NULL, 0,\r\nNULL, NULL);\r\n#define IOCTL_REGISTER_PROCESS 0x80002010 #define IOCTL_TERMINATE_PROCESS 0x80002048 //\r\nLoading the amsdk.sys driver DWORD pidTerminate = 1337; // Pid of process to be killed, PP/PPL processes\r\npossible DWORD pidRegister = GetCurrentProcessId(); HANDLE hDevice = CreateFileA(\"\\\\\\\\.\\\\amsdk\\\\anyfile\",\r\nGENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,\r\nNULL); DeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, \u0026pidRegister, sizeof(pidRegister), NULL, 0,\r\nNULL, NULL); DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, \u0026pidTerminate,\r\nsizeof(pidTerminate), NULL, 0, NULL, NULL);\r\n#define IOCTL_REGISTER_PROCESS 0x80002010\r\n#define IOCTL_TERMINATE_PROCESS 0x80002048\r\n// Loading the amsdk.sys driver\r\nDWORD pidTerminate = 1337; // Pid of process to be killed, PP/PPL processes possible\r\nDWORD pidRegister = GetCurrentProcessId();\r\nHANDLE hDevice = CreateFileA(\"\\\\\\\\.\\\\amsdk\\\\anyfile\", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_\r\nDeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, \u0026pidRegister, sizeof(pidRegister), NULL, 0, NULL, NU\r\nDeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, \u0026pidTerminate, sizeof(pidTerminate), NULL, 0, NULL\r\nThe core of the vulnerability in the WatchDog Antimalware driver is not complex and can easily be addressed.\r\nSpecifying the  FILE_DEVICE_SECURE_OPEN  device characteristic ensures the propagation of the strong DACL to\r\nthe whole device namespace and prevents access by non-privileged users. An additional check to verify if the\r\ntargeted process to be terminated is running as protected (PP/PPL) will mitigate the possibility of disabling Anti-Malware solutions.\r\nFinal Stages: The ValleyRAT Backdoor\r\nAll the samples we analyzed (see Appendix B – IOCs) deployed the well-known ValleyRAT backdoor (also\r\nknown as Winos) as the final stage. This malware strain is strongly attributed to, and associated with, the well-known APT group Silver Fox.\r\nSimilar to the ValleyRAT downloader, the deployed ValleyRAT backdoor is delivered as a 64-bit DLL converted\r\nto shellcode (the DLL is preceded by stub shellcode responsible for in-memory reflective loading).\r\nThe internal name  登录模块.dll  (translated as “LoginModule.dll”) of this DLL is preserved in the Export\r\nDirectory, along with a single exported function,  run . This exported function is almost identical to  DllMain ,\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 11 of 25\n\ntriggers the same main logic, and likely serves as an alternate execution mechanism.\r\nFigure 19: The exported function “run” - ValleyRAT backdoor DLL.\r\nFigure 19: The exported function “run” – ValleyRAT backdoor DLL.\r\nOne of the first executed functions to avoid detection is a callback invoked via the Windows API  EnumWindows .\r\nThe callback function,  EnumFunc , is responsible for detecting processes with window titles associated with\r\nanalysis tools, primarily those used for network analysis, commonly found in sandboxes or malware labs. If any of\r\nthe defined window titles is detected, execution is delayed by a 20-second sleep, and the enumeration continues\r\nuntil none of the tools are detected.\r\nFigure 20: The ValleyRAT “EnumFunc” callback function used to avoid detection.\r\nFigure 20: The ValleyRAT “EnumFunc” callback function used to avoid detection.\r\nThe identical routine was already described in ValleyRAT Insights: Tactics, Techniques, and Detection Methods.\r\nAs the ValleyRAT backdoor and its stages were thoroughly analyzed in several publicly available reports, a\r\ndetailed analysis of the version deployed in this campaign is considered out of the scope for this publication.\r\nAs previously described, the attackers abuse two vulnerable drivers to terminate processes associated with security\r\nsolutions. While the older one—Advanced Malware Protection driver,  ZAM.exe , version 3.0.0.000—was\r\nclassified as known-vulnerable by the Microsoft Vulnerable Driver Blocklist and by other common detection\r\nmechanisms such as those implemented by the LOLDrivers project, the newer one—WatchDog Antimalware\r\ndriver,  amsdk.sys , version 1.0.600—bypasses all of them.\r\nAs we saw, the all-in-one loaders used in this campaign are tailored to support not only the latest versions of\r\nWindows OS (Windows 10/11) but also older ones (e.g., Windows 7), meaning even legacy systems remain at\r\nrisk.\r\nThe Microsoft Vulnerable Driver Blocklist uses advanced detection mechanisms, beyond simple hash-based\r\nchecks, to protect against known vulnerable drivers. As it is built into the Windows OS, we reported the issue\r\nto MSRC.\r\nAs the primary risk in this detected in-the-wild campaign stems from the previously unknown vulnerable\r\nWatchDog Antimalware driver, we reported the campaign and the driver abuse to its vendor, the Watchdog\r\ncompany. As a result, the vendor released a patch: WatchDog Antimalware driver,  wamsdk.sys , version 1.1.100.\r\nAll Watchdog products are now deployed with this updated version of the driver.\r\nWe confirmed that the new driver mitigates the LPE risk by enforcing a strong DACL (allowing access only for\r\nSYSTEM and Administrator accounts) and by setting the  FILE_DEVICE_SECURE_OPEN  device characteristic, which\r\nensures the propagation of the DACL across the entire device namespace.\r\nUnfortunately, it does not mitigate the arbitrary process termination issue. It still lacks a check for whether the\r\ntargeted process is running as protected (PP/PPL). As a result, this driver can still be abused similarly to how it\r\nwas used in the described campaign to disable anti-malware solutions. We reported this to the vendor.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 12 of 25\n\nAs anticipated, we already detected a sample in this campaign that abuses an altered variant of the released\r\npatched driver (WatchDog Antimalware Driver,  wamsdk.sys , version 1.1.100).\r\nThis sample remains associated with the same campaign attributed to the Silver Fox APT, once again deploying\r\nthe ValleyRAT backdoor as the final stage. We reported this new finding to the Watchdog company.\r\nThe patched driver (WatchDog Antimalware Driver,  wamsdk.sys , version 1.1.100) is abused in a way where the\r\nattackers create a modified variant by altering just a single byte within the PE\r\nbinary’s  WIN_CERTIFICATE  structure—specifically in the unauthenticated attributes of the embedded Microsoft\r\nAuthenticode signature. This byte is part of the RFC 3161 timestamp (counter-signature) applied by Microsoft’s\r\ntime-stamping authority. Because unauthenticated attributes are not covered by the primary signature’s digest, this\r\nchange does not affect the validity of the embedded Microsoft signature, and does not break the chain of trust. As\r\na result, Windows continues to treat the driver as validly signed and trusted, even on the latest versions.\r\nHowever, the file’s overall hash (e.g., SHA-256) is now different, which allows attackers to create a modified,\r\nuniquely hashed but still validly signed version of the original driver.\r\nFigure 21: One-byte modification of the patched WatchDog Antimalware Driver (version\r\n1.1.100).\r\nFigure 21: One-byte modification of the patched WatchDog Antimalware Driver (version 1.1.100).\r\nWe recommend manually applying the latest version of the Microsoft Vulnerable Driver Blocklist, as it is usually\r\nauto-updated only once or twice a year. As we cannot ensure that all the vulnerable drivers abused in this\r\ncampaign will be added to the Microsoft Vulnerable Driver Blocklist, we provided YARA rules (see Appendix C\r\n– YARA) to detect them and recommend monitoring and preventing their abuse.\r\nConclusion\r\nWe revealed a sophisticated campaign, attributed to the Silver Fox APT group, that exploits vulnerable signed\r\ndrivers to bypass security protections and deploy the ValleyRAT backdoor. By abusing two vulnerable drivers, one\r\npreviously known and one newly identified, attackers achieved arbitrary process termination, allowing them to\r\ndisable anti-malware solutions and maintain stealth across multiple Windows versions, including the latest\r\nWindows 10 and 11.\r\nThe newly identified abuse of the WatchDog Antimalware driver demonstrates that even signed and seemingly\r\ntrusted drivers can contain critical vulnerabilities. The attackers’ technique of modifying unauthenticated attributes\r\nwithin the driver’s digital signature to evade detection while preserving trustworthiness exposes the limitations of\r\nrelying solely on hash-based or signature-based detection methods.\r\nOur findings highlight the need for layered defense strategies, encompassing not only timely application of\r\nMicrosoft’s Vulnerable Driver Blocklist and custom detection rules like YARA signatures, but also robust\r\nbehavior-based detection capable of heuristically identifying and blocking such threats. These combined measures\r\nare vital to detect and prevent the abuse of vulnerable drivers before attackers can escalate privileges or disable\r\nsecurity software.\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 13 of 25\n\nOur final point is that our research reinforces the need for ongoing efforts of security vendors and users to stay\r\nvigilant against the emerging abuse of legitimate drivers. Proactive identification, reporting, and patching of these\r\nvulnerabilities are critical to strengthening Windows systems against evolving threats leveraging Bring Your Own\r\nVulnerable Driver (BYOVD) techniques.\r\nProtections\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics,\r\nfiletypes, and operating systems and protect against the attacks and threats described in this report.\r\nReferences\r\nCPR – Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating\r\nRisks: https://research.checkpoint.com/2024/breaking-boundaries-investigating-vulnerable-drivers-and-mitigating-risks/\r\nCPR – Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation\r\nCampaign: https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/\r\nLOLDrivers: https://github.com/magicsword-io/LOLDrivers\r\nMicrosoft Vulnerable Driver Blocklist: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules\r\nTerminator PoC: https://github.com/ZeroMemoryEx/Terminator\r\nReverse Engineering Zemana AntiMalware/AntiLogger Driver: https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/\r\nWatchdog Anti-Malware product: https://watchdog.com/solutions/anti-malware/\r\nZemana Anti-Malware SDK: https://zemana.com/us/sdk.html\r\nDevice Characteristics: https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-characteristics\r\nUPX – the Ultimate Packer for eXecutables: https://github.com/upx/upx\r\nSplunk – ValleyRAT Insights: https://www.splunk.com/en_us/blog/security/valleyrat-insights-tactics-techniques-and-detection-methods.html\r\nZscaler – Technical Analysis of ValleyRAT: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nMalpedia ValleyRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat\r\nAppendix A – List of Processes to be Terminated\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 14 of 25\n\nNotice that most of the targeted processes are associated with security solutions typically deployed in China or the\r\nAsia region.\r\n2345PCSafeBootAssistant.exe\r\n2345SafeCenterCrashReport.exe\r\n2345SafeCenterInstaller.exe\r\nBrowserPrivacyAndSecurity.exe\r\nSecurityHealthService.exe\r\nremove_incompatible_applications.exe\r\nsecurityhealthsystray.exe\r\nuninstallation_assistant_host.exe\r\n2345AdRtProtect.exe 2345Associate.exe 2345AuthorityProtect.exe 2345ExtShell.exe 2345ExtShell64.exe\r\n2345FileShre.exe 2345HipsSet.exe 2345InstDll.exe 2345LSPFix.exe 2345LeakFixer.exe 2345MPCSafe.exe\r\n2345ManuUpdate.exe 2345NetFlow.exe 2345NetRepair.exe 2345NightMode.exe 2345PCSafeBootAssistant.exe\r\n2345ProtectManager.exe 2345RTProtect.exe 2345RtProtectCenter.exe 2345SFGuard.exe 2345SFGuard64.exe\r\n2345SFWebShell.exe 2345SafeCenterCrashReport.exe 2345SafeCenterInstaller.exe 2345SafeCenterSvc.exe\r\n2345SafeCenterUpdate.exe 2345SafeLock.exe 2345SafeSvc.exe 2345SafeTray.exe 2345SafeUpdate.exe\r\n2345ScUpgrade.exe 2345Setting.exe 2345ShellPro.exe 2345ShortcutArrow.exe 2345SoftMgr.exe\r\n2345SoftmgrDaemon.exe 2345SoftmgrSvc.exe 2345SysDoctor.exe 2345TrashRcmd.exe 2345Uninst.exe\r\n2345UsbGuard.exe 2345VirusScan.exe 360AI.exe 360FileGuard.exe 360QMachine.exe 360Restore.exe\r\n360Safe.exe 360SkinMgr.exe 360huabao.exe 360leakfixer.exe 360netcfg.exe 360netcfg64.exe 360realpro.exe\r\n360rp.exe 360rps.exe 360sd.exe 360sdSetup.exe 360sdToasts.exe 360sdrun.exe 360sdsf.exe 360sdupd.exe\r\n360speedld.exe 360tray.exe BGADefMgr.exe BrowserPrivacyAndSecurity.exe CertImporter-1684.exe Client.exe\r\nConfigSecurityPolicy.exe DSMain.exe DlpUserAgent.exe DumpUper.exe Fetion.exe HipsDaemon.exe\r\nHipsMain.exe HipsTray.exe MSPCManager.exe MSPCManagerCore.exe MSPCManagerService.exe MipDlp.exe\r\nMpCmdRun.exe MpCopyAccelerator.exe MpDlpCmd.exe MpDlpService.exe MsMpEng.exe MultiTip.exe\r\nNewIDView.exe NisSrv.exe PCMAutoRun.exe QMAIService.exe QMDL.exe QMFloatWidget.exe\r\nQQPCExternal.exe QQPCMgrUpdate.exe QQPCPatch.exe QQPCRTP.exe QQPCSoftCmd.exe QQPCSoftMgr.exe\r\nQQPCTray.exe QQRepair.exe RMenuMgr.exe SecurityHealthHost.exe SecurityHealthService.exe\r\nSysCleanProService.exe SysInspector.exe VolSnapshotX64.exe ZhuDongFangYu.exe activeconsole anti-malware\r\nantimalware avpia.exe avpvk.exe callmsi.exe eCapture.exe eComServer.exe ecls.exe ecmd.exe ecmds.exe\r\neeclnt.exe egui.exe eguiProxy.exe feedback.exe feedbackwin.exe kailab.exe kassistant.exe kassistsetting.exe\r\nkauthorityview.exe kavlog2.exe kcddltool.exe kcleaner.exe kcrm.exe kctrlpanel.exe kdf.exe kdinfomgr.exe\r\nkdownloader.exe kdrvmgr.exe kdumprep.exe kdumprepn.exe keyemain.exe kfixstar.exe kfloatmain.exe\r\nkhealthctrlspread.exe kinst.exe kintercept.exe kislive.exe kismain.exe kldw.exe kmenureg.exe knewvip.exe\r\nknotifycenter.exe krecycle.exe kscan.exe kschext.exe kscrcap.exe ksetupwiz.exe kslaunch.exe kslaunchex.exe\r\nksoftmgr.exe ksoftmgrproxy.exe ksoftpurifier.exe kteenmode.exe ktrashautoclean.exe kupdata.exe kwebx.exe\r\nkwsprotect64.exe kwtpanel.exe kxecenter.exe kxemain.exe kxescore.exe kxetray.exe kxewsc.exe mpextms.exe\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 15 of 25\n\npackageregistrator.exe plugins-setup.exe plugins_nms.exe qmbsrv.exe rcmdhelper.exe rcmdhelper64.exe\r\nremove_incompatible_applications.exe restore_tool.exe safesvr.exe securityhealthsystray.exe smartscreen.exe\r\nsysissuehat.exe troubleshoot.exe uni0nst.exe uninstallation_assistant_host.exe upgrade.exe vssbridge64.exe\r\nwebx.exe webx_helper.exe wmiav.exe wsctrlsvc.exe\r\n2345AdRtProtect.exe\r\n2345Associate.exe\r\n2345AuthorityProtect.exe\r\n2345ExtShell.exe\r\n2345ExtShell64.exe\r\n2345FileShre.exe\r\n2345HipsSet.exe\r\n2345InstDll.exe\r\n2345LSPFix.exe\r\n2345LeakFixer.exe\r\n2345MPCSafe.exe\r\n2345ManuUpdate.exe\r\n2345NetFlow.exe\r\n2345NetRepair.exe\r\n2345NightMode.exe\r\n2345PCSafeBootAssistant.exe\r\n2345ProtectManager.exe\r\n2345RTProtect.exe\r\n2345RtProtectCenter.exe\r\n2345SFGuard.exe\r\n2345SFGuard64.exe\r\n2345SFWebShell.exe\r\n2345SafeCenterCrashReport.exe\r\n2345SafeCenterInstaller.exe\r\n2345SafeCenterSvc.exe\r\n2345SafeCenterUpdate.exe\r\n2345SafeLock.exe\r\n2345SafeSvc.exe\r\n2345SafeTray.exe\r\n2345SafeUpdate.exe\r\n2345ScUpgrade.exe\r\n2345Setting.exe\r\n2345ShellPro.exe\r\n2345ShortcutArrow.exe\r\n2345SoftMgr.exe\r\n2345SoftmgrDaemon.exe\r\n2345SoftmgrSvc.exe\r\n2345SysDoctor.exe\r\n2345TrashRcmd.exe\r\n2345Uninst.exe\r\n2345UsbGuard.exe\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 16 of 25\n\n2345VirusScan.exe\r\n360AI.exe\r\n360FileGuard.exe\r\n360QMachine.exe\r\n360Restore.exe\r\n360Safe.exe\r\n360SkinMgr.exe\r\n360huabao.exe\r\n360leakfixer.exe\r\n360netcfg.exe\r\n360netcfg64.exe\r\n360realpro.exe\r\n360rp.exe\r\n360rps.exe\r\n360sd.exe\r\n360sdSetup.exe\r\n360sdToasts.exe\r\n360sdrun.exe\r\n360sdsf.exe\r\n360sdupd.exe\r\n360speedld.exe\r\n360tray.exe\r\nBGADefMgr.exe\r\nBrowserPrivacyAndSecurity.exe\r\nCertImporter-1684.exe\r\nClient.exe\r\nConfigSecurityPolicy.exe\r\nDSMain.exe\r\nDlpUserAgent.exe\r\nDumpUper.exe\r\nFetion.exe\r\nHipsDaemon.exe\r\nHipsMain.exe\r\nHipsTray.exe\r\nMSPCManager.exe\r\nMSPCManagerCore.exe\r\nMSPCManagerService.exe\r\nMipDlp.exe\r\nMpCmdRun.exe\r\nMpCopyAccelerator.exe\r\nMpDlpCmd.exe\r\nMpDlpService.exe\r\nMsMpEng.exe\r\nMultiTip.exe\r\nNewIDView.exe\r\nNisSrv.exe\r\nPCMAutoRun.exe\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 17 of 25\n\nQMAIService.exe\r\nQMDL.exe\r\nQMFloatWidget.exe\r\nQQPCExternal.exe\r\nQQPCMgrUpdate.exe\r\nQQPCPatch.exe\r\nQQPCRTP.exe\r\nQQPCSoftCmd.exe\r\nQQPCSoftMgr.exe\r\nQQPCTray.exe\r\nQQRepair.exe\r\nRMenuMgr.exe\r\nSecurityHealthHost.exe\r\nSecurityHealthService.exe\r\nSysCleanProService.exe\r\nSysInspector.exe\r\nVolSnapshotX64.exe\r\nZhuDongFangYu.exe\r\nactiveconsole\r\nanti-malware\r\nantimalware\r\navpia.exe\r\navpvk.exe\r\ncallmsi.exe\r\neCapture.exe\r\neComServer.exe\r\necls.exe\r\necmd.exe\r\necmds.exe\r\neeclnt.exe\r\negui.exe\r\neguiProxy.exe\r\nfeedback.exe\r\nfeedbackwin.exe\r\nkailab.exe\r\nkassistant.exe\r\nkassistsetting.exe\r\nkauthorityview.exe\r\nkavlog2.exe\r\nkcddltool.exe\r\nkcleaner.exe\r\nkcrm.exe\r\nkctrlpanel.exe\r\nkdf.exe\r\nkdinfomgr.exe\r\nkdownloader.exe\r\nkdrvmgr.exe\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 18 of 25\n\nkdumprep.exe\r\nkdumprepn.exe\r\nkeyemain.exe\r\nkfixstar.exe\r\nkfloatmain.exe\r\nkhealthctrlspread.exe\r\nkinst.exe\r\nkintercept.exe\r\nkislive.exe\r\nkismain.exe\r\nkldw.exe\r\nkmenureg.exe\r\nknewvip.exe\r\nknotifycenter.exe\r\nkrecycle.exe\r\nkscan.exe\r\nkschext.exe\r\nkscrcap.exe\r\nksetupwiz.exe\r\nkslaunch.exe\r\nkslaunchex.exe\r\nksoftmgr.exe\r\nksoftmgrproxy.exe\r\nksoftpurifier.exe\r\nkteenmode.exe\r\nktrashautoclean.exe\r\nkupdata.exe\r\nkwebx.exe\r\nkwsprotect64.exe\r\nkwtpanel.exe\r\nkxecenter.exe\r\nkxemain.exe\r\nkxescore.exe\r\nkxetray.exe\r\nkxewsc.exe\r\nmpextms.exe\r\npackageregistrator.exe\r\nplugins-setup.exe\r\nplugins_nms.exe\r\nqmbsrv.exe\r\nrcmdhelper.exe\r\nrcmdhelper64.exe\r\nremove_incompatible_applications.exe\r\nrestore_tool.exe\r\nsafesvr.exe\r\nsecurityhealthsystray.exe\r\nsmartscreen.exe\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 19 of 25\n\nsysissuehat.exe\r\ntroubleshoot.exe\r\nuni0nst.exe\r\nuninstallation_assistant_host.exe\r\nupgrade.exe\r\nvssbridge64.exe\r\nwebx.exe\r\nwebx_helper.exe\r\nwmiav.exe\r\nwsctrlsvc.exe\r\nAppendix B – IOCs\r\nAll-in-one self-contained loaders:\r\nSHA-256 Final Stage\r\nd24fffc34e45c168ea4498f51a7d9f7f074d469c8d4317e8e2205c33a99b5364 ValleyRAT/Winos\r\nfc97ad46767a45f4e59923f96d15ec5b680a33f580af7cc4e320fb9963933f26 ValleyRAT/Winos\r\n09587073acbfec909eea69aa49774b3fdaa681db9cec7cb20a4143050897c393 ValleyRAT/Winos\r\n2f0e34860194ccd232f7c8c27fefe44c96b63468e8581f93c38767725255f945 ValleyRAT/Winos\r\n57f37bc0519557cf3f4c375fd04900a4d5afb82e3b723c6b9d0f96dc08eea84d ValleyRAT/Winos\r\nb26aecc21da159c0073ecde31cc292d87c8674af8c312776d2cc9827e5c1ad6a ValleyRAT/Winos\r\nbaccea051dc6bb1731fa2bc97c5e0cc2cd37463e83bf73a400451ad7ba00a543 ValleyRAT/Winos\r\n9e72b958b4ad9fdf64b6f12a89eb2bae80097a65dc8899732bce9dafda622148 ValleyRAT/Winos\r\n35ccb9c521c301e416a3ea0c0292ae93914fe165eb45f749c16de03a99f5fa8e ValleyRAT/Winos\r\n5f23694d44850c1963b38d8eab638505d14c5605e9623fb98e9455795fa33321 ValleyRAT/Winos\r\nC2 Servers (ValleyRAT/Winos):\r\nIP Address Port AS Country\r\n47.239.197.97\r\n52116,\r\n52117\r\nAlibaba Cloud\r\nHK\r\n(China)\r\n8.217.38.238 8888 Alibaba Cloud\r\nHK\r\n(China)\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 20 of 25\n\nIP Address Port AS Country\r\n156.234.58.194\r\n52110,\r\n52111\r\nYancy Limited\r\nHK\r\n(China)\r\n156.241.144.66\r\n52139,\r\n52160\r\nAROSS-AS\r\nHK\r\n(China)\r\n1.13.249.217 9527, 9528\r\nShenzhen Tencent Computer Systems\r\nCompany Limited\r\nChina\r\nVulnerable drivers abused in the campaign:\r\nAll of them are based on the Zemana Anti-Malware SDK.\r\nSHA-256 Note\r\n12b3d8bc5cc1ea6e2acd741d8a80f56cf2a0a7ebfa0998e3f0743fcf83fabb9e\r\nUsed for WIN\r\n10/11\r\n0be8483c2ea42f1ce4c90e84ac474a4e7017bc6d682e06f96dc1e31922a07b10\r\nUsed for WIN\r\n10/11\r\n9c394dcab9f711e2bf585edf0d22d2210843885917d409ee56f22a4c24ad225e\r\nUsed for older\r\nWIN OS\r\nAppendix C – YARA\r\nDetects 64-bit, valid-signed WatchDog Antimalware driver,  amsdk.sys , version 1.0.600 (bypassing LOLDrivers\r\nand Microsoft Vulnerable Driver Blocklist):\r\nrule watchdog_antimalware_driver_64bit_ver10600\r\ndescription = \"Detects 64-bit, valid-signed WatchDog Antimalware driver, version 1.0.600\"\r\nauthor = \"Jiri Vinopal @ Check Point Research\"\r\nhash = \"12b3d8bc5cc1ea6e2acd741d8a80f56cf2a0a7ebfa0998e3f0743fcf83fabb9e\"\r\nuint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and\r\n// Detect 64-bit Windows drivers\r\nuint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and\r\n// Detect OriginalFilename \"amsdk.sys\" and FileVersion \"1.0.600\"\r\npe.version_info[\"OriginalFilename\"] == \"amsdk.sys\" and pe.version_info[\"FileVersion\"] == \"1.0.600\" and\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 21 of 25\n\n// Detect only signed drivers, not a real verification\r\npe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1):\r\n(pe.signatures[i].verified)\r\nimport \"pe\" rule watchdog_antimalware_driver_64bit_ver10600 { meta: description = \"Detects 64-bit, valid-signed WatchDog Antimalware driver, version 1.0.600\" author = \"Jiri Vinopal @ Check Point Research\" hash =\r\n\"12b3d8bc5cc1ea6e2acd741d8a80f56cf2a0a7ebfa0998e3f0743fcf83fabb9e\" condition: // Detect PE uint16(0) ==\r\n0x5a4d and uint16(uint32(0x3c)) == 0x4550 and // Detect 64-bit Windows drivers uint16(uint32(0x3C) + 0x5c)\r\n== 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and // Detect OriginalFilename \"amsdk.sys\" and\r\nFileVersion \"1.0.600\" pe.version_info[\"OriginalFilename\"] == \"amsdk.sys\" and pe.version_info[\"FileVersion\"]\r\n== \"1.0.600\" and // Detect only signed drivers, not a real verification pe.number_of_signatures \u003e 0 and for all i in\r\n(0..pe.number_of_signatures -1): (pe.signatures[i].verified) }\r\nimport \"pe\"\r\nrule watchdog_antimalware_driver_64bit_ver10600\r\n{\r\n meta:\r\n description = \"Detects 64-bit, valid-signed WatchDog Antimalware driver, version 1.0.600\"\r\n author = \"Jiri Vinopal @ Check Point Research\"\r\n hash = \"12b3d8bc5cc1ea6e2acd741d8a80f56cf2a0a7ebfa0998e3f0743fcf83fabb9e\"\r\n condition:\r\n // Detect PE\r\n uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and\r\n // Detect 64-bit Windows drivers\r\n uint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and\r\n // Detect OriginalFilename \"amsdk.sys\" and FileVersion \"1.0.600\"\r\n pe.version_info[\"OriginalFilename\"] == \"amsdk.sys\" and pe.version_info[\"FileVersion\"] == \"1.0\r\n // Detect only signed drivers, not a real verification\r\n pe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1):\r\n (pe.signatures[i].verified)\r\n}\r\nDetects 64-bit, valid-signed WatchDog Antimalware Driver,  wamsdk.sys , version 1.1.100 (bypassing\r\nLOLDrivers and Microsoft Vulnerable Driver Blocklist):\r\nrule watchdog_antimalware_driver_64bit_ver11100\r\ndescription = \"Detects 64-bit, valid-signed WatchDog Antimalware driver, version 1.1.100\"\r\nauthor = \"Jiri Vinopal @ Check Point Research\"\r\nhash = \"5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c\"\r\nhash = \"0be8483c2ea42f1ce4c90e84ac474a4e7017bc6d682e06f96dc1e31922a07b10\"\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 22 of 25\n\nuint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and\r\n// Detect 64-bit Windows drivers\r\nuint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and\r\n// Detect OriginalFilename \"wamsdk.sys\" and FileVersion \"1.1.100\"\r\npe.version_info[\"OriginalFilename\"] == \"wamsdk.sys\" and pe.version_info[\"FileVersion\"] == \"1.1.100\" and\r\n// Detect only signed drivers, not a real verification\r\npe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1):\r\n(pe.signatures[i].verified)\r\nimport \"pe\" rule watchdog_antimalware_driver_64bit_ver11100 { meta: description = \"Detects 64-bit, valid-signed WatchDog Antimalware driver, version 1.1.100\" author = \"Jiri Vinopal @ Check Point Research\" hash =\r\n\"5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c\" hash =\r\n\"0be8483c2ea42f1ce4c90e84ac474a4e7017bc6d682e06f96dc1e31922a07b10\" condition: // Detect PE uint16(0)\r\n== 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and // Detect 64-bit Windows drivers uint16(uint32(0x3C) +\r\n0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and // Detect OriginalFilename \"wamsdk.sys\" and\r\nFileVersion \"1.1.100\" pe.version_info[\"OriginalFilename\"] == \"wamsdk.sys\" and pe.version_info[\"FileVersion\"]\r\n== \"1.1.100\" and // Detect only signed drivers, not a real verification pe.number_of_signatures \u003e 0 and for all i in\r\n(0..pe.number_of_signatures -1): (pe.signatures[i].verified) }\r\nimport \"pe\"\r\nrule watchdog_antimalware_driver_64bit_ver11100\r\n{\r\n meta:\r\n description = \"Detects 64-bit, valid-signed WatchDog Antimalware driver, version 1.1.100\"\r\n author = \"Jiri Vinopal @ Check Point Research\"\r\n hash = \"5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c\"\r\n hash = \"0be8483c2ea42f1ce4c90e84ac474a4e7017bc6d682e06f96dc1e31922a07b10\"\r\n condition:\r\n // Detect PE\r\n uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and\r\n // Detect 64-bit Windows drivers\r\n uint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and\r\n // Detect OriginalFilename \"wamsdk.sys\" and FileVersion \"1.1.100\"\r\n pe.version_info[\"OriginalFilename\"] == \"wamsdk.sys\" and pe.version_info[\"FileVersion\"] == \"1\r\n // Detect only signed drivers, not a real verification\r\n pe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1):\r\n (pe.signatures[i].verified)\r\n}\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 23 of 25\n\nDetects 64-bit, valid-signed Advanced Malware Protection driver,  ZAM.exe , version 3.0.0.000 (detected by\r\nLOLDrivers and Microsoft Vulnerable Driver Blocklist):\r\nrule zam_advanced_malware_protection_driver_64bit_ver300000\r\ndescription = \"Detects 64-bit, valid-signed Advanced Malware Protection driver, version 3.0.0.000\"\r\nauthor = \"Jiri Vinopal @ Check Point Research\"\r\nhash = \"9c394dcab9f711e2bf585edf0d22d2210843885917d409ee56f22a4c24ad225e\"\r\nuint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and\r\n// Detect 64-bit Windows drivers\r\nuint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and\r\n// Detect OriginalFilename \"ZAM.exe\" and FileVersion \"3.0.0.000\"\r\npe.version_info[\"OriginalFilename\"] == \"ZAM.exe\" and pe.version_info[\"FileVersion\"] == \"3.0.0.000\" and\r\n// Detect only signed drivers, not a real verification\r\npe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1):\r\n(pe.signatures[i].verified)\r\nimport \"pe\" rule zam_advanced_malware_protection_driver_64bit_ver300000 { meta: description = \"Detects 64-\r\nbit, valid-signed Advanced Malware Protection driver, version 3.0.0.000\" author = \"Jiri Vinopal @ Check Point\r\nResearch\" hash = \"9c394dcab9f711e2bf585edf0d22d2210843885917d409ee56f22a4c24ad225e\" condition: //\r\nDetect PE uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and // Detect 64-bit Windows drivers\r\nuint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and // Detect\r\nOriginalFilename \"ZAM.exe\" and FileVersion \"3.0.0.000\" pe.version_info[\"OriginalFilename\"] == \"ZAM.exe\"\r\nand pe.version_info[\"FileVersion\"] == \"3.0.0.000\" and // Detect only signed drivers, not a real verification\r\npe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1): (pe.signatures[i].verified) }\r\nimport \"pe\"\r\nrule zam_advanced_malware_protection_driver_64bit_ver300000\r\n{\r\n meta:\r\n description = \"Detects 64-bit, valid-signed Advanced Malware Protection driver, version 3.0.0\r\n author = \"Jiri Vinopal @ Check Point Research\"\r\n hash = \"9c394dcab9f711e2bf585edf0d22d2210843885917d409ee56f22a4c24ad225e\"\r\n condition:\r\n // Detect PE\r\n uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and\r\n // Detect 64-bit Windows drivers\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 24 of 25\n\nuint16(uint32(0x3C) + 0x5c) == 0x0001 and uint16(uint32(0x3C) + 0x18) == 0x020b and\r\n // Detect OriginalFilename \"ZAM.exe\" and FileVersion \"3.0.0.000\"\r\n pe.version_info[\"OriginalFilename\"] == \"ZAM.exe\" and pe.version_info[\"FileVersion\"] == \"3.0.0\r\n // Detect only signed drivers, not a real verification\r\n pe.number_of_signatures \u003e 0 and for all i in (0..pe.number_of_signatures -1):\r\n (pe.signatures[i].verified)\r\n}\r\nSource: https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nhttps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/"
	],
	"report_names": [
		"silver-fox-apt-vulnerable-drivers"
	],
	"threat_actors": [
		{
			"id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3",
			"created_at": "2024-06-25T02:00:05.030976Z",
			"updated_at": "2026-04-10T02:00:03.656871Z",
			"deleted_at": null,
			"main_name": "Void Arachne",
			"aliases": [
				"Silver Fox"
			],
			"source_name": "MISPGALAXY:Void Arachne",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9",
			"created_at": "2024-08-28T02:02:09.729503Z",
			"updated_at": "2026-04-10T02:00:04.967533Z",
			"deleted_at": null,
			"main_name": "Void Arachne",
			"aliases": [
				"Silver Fox"
			],
			"source_name": "ETDA:Void Arachne",
			"tools": [
				"Gh0stBins",
				"Gh0stCringe",
				"HoldingHands RAT",
				"Winos"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434812,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d9480867e368d93f06570a95981fefd4232ce38.pdf",
		"text": "https://archive.orkl.eu/7d9480867e368d93f06570a95981fefd4232ce38.txt",
		"img": "https://archive.orkl.eu/7d9480867e368d93f06570a95981fefd4232ce38.jpg"
	}
}