NewApp Digest
search bot

security evasion

Threat Actors Selling New Undetectable RAT as ’ScreenConnect FUD Alternative’
Tech Optimizer
September 20, 2025

Threat Actors Selling New Undetectable RAT as ’ScreenConnect FUD Alternative’

A new Remote Access Trojan (RAT) is being marketed on underground forums as a fully undetectable alternative to ScreenConnect, featuring advanced capabilities to bypass security defenses. The seller claims it achieves zero detections during static and runtime analysis, making it a significant threat for initial access and payload delivery. The RAT can bypass security warnings from Google Chrome and Windows SmartScreen by bundling with a valid Extended Validation (EV) certificate. It includes antibot mechanisms and cloaked landing pages to evade detection by security scanners. The malware is presented through a fraudulent Adobe Acrobat Reader download page and allows attackers direct visual control over compromised machines. It utilizes a PowerShell-based command for execution, helping it avoid detection by traditional antivirus solutions. The tool is described as a “FUD loader,” intended to establish a stealthy presence on target systems before deploying additional payloads. The seller offers a demo and promises delivery within 24 working hours.
Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV
Winsage
August 30, 2025

Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV

In mid-2025, a campaign attributed to the Silver Fox Advanced Persistent Threat (APT) began exploiting a vulnerable Microsoft-signed WatchDog Antimalware driver (amsdk.sys, version 1.0.600) to compromise modern Windows environments. The attackers use the driver's arbitrary process termination capability to bypass endpoint detection and antivirus protections on fully patched Windows 10 and 11 systems. The attack starts with a loader that checks for virtual machines and sandboxes before dropping two drivers into a new directory. These drivers are registered as kernel services, and the loader ensures persistence. The campaign's logic then terminates security service processes by exploiting the driver's vulnerabilities, allowing the injection of a ValleyRAT downloader module that connects to Chinese-hosted C2 servers. After the vulnerability was disclosed, a patched driver (wamsdk.sys, version 1.1.100) was released, but Silver Fox adapted by modifying the driver's signature timestamp to evade detection while maintaining the signature's validity.
Search