Emerging in mid-2025, a sophisticated campaign attributed to the Silver Fox Advanced Persistent Threat (APT) has begun exploiting a previously unreported vulnerable driver to compromise modern Windows environments. This campaign leverages the WatchDog Antimalware driver (amsdk.sys, version 1.0.600), a Microsoft-signed component built on the Zemana Anti-Malware SDK.
By abusing its arbitrary process termination capability, threat actors can bypass endpoint detection and response (EDR) and antivirus (AV) protections on fully patched Windows 10 and 11 systems without triggering signature-based defenses.
The initial stages of the attack involve deploying a self-contained loader that embeds multiple drivers and anti-analysis layers. Infected machines receive a loader binary that first performs checks against virtual machines, sandboxes, and known analysis environments.
Once these checks pass, the loader drops two drivers—one legacy Zemana-based driver for compatibility with older systems, and the newer WatchDog Antimalware driver for modern targets—into a newly created C:Program FilesRunTime directory.
Check Point researchers noted that both drivers are then registered as kernel services: the legacy driver under ZAM.exe for Windows 7, and amsdk.sys for Windows 10/11. The loader’s “Termaintor” service ensures persistence for the executed loader stub, while Amsdk_Service facilitates driver loading.
Following driver registration, the campaign’s custom EDR/AV killer logic opens a handle to the vulnerable driver’s device namespace (.amsdk) and issues IOCTL calls to register the malicious process and terminate protected security service processes.
The termination routine reads from a Base64-encoded process list of over 190 entries—spanning popular antivirus and endpoint protection services—and sends IOCTLTERMINATEPROCESS commands via DeviceIoControl to eliminate running defenses.
By exploiting the driver’s lack of a FILEDEVICESECURE_OPEN flag and missing PP/PPL checks, Silver Fox achieves reliable AV evasion. Check Point analysts identified that after terminating security processes, the loader decodes and injects a UPX-packed ValleyRAT downloader module into memory.
This module connects to Chinese-hosted C2 servers, decrypts configuration traffic using a simple XOR cipher, and fetches the final ValleyRAT backdoor payload. ValleyRAT (“Winos”) offers full remote access capabilities including command execution and data exfiltration, confirming the campaign’s attribution to Silver Fox.
Detection Evasion through Signed-Driver Manipulation
Although WatchDog released a patched driver (wamsdk.sys, version 1.1.100) following disclosure, Silver Fox quickly adapted by flipping a single byte within the unauthenticated attributes of the driver’s signature timestamp. This subtle modification preserved the Microsoft Authenticode signature while generating a new file hash, effectively bypassing hash-based blocklists without altering signature validity.
The altered driver is then seamlessly loaded on target systems, continuing the exploitation cycle. This technique underscores a broader trend: adversaries weaponizing legitimate, signed drivers and manipulating timestamp countersigns to evade both static and behavior-based detection mechanisms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
