CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, a newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

Timeline

  1. 18.02.2026 18:00 1 articles · 7h ago

    Cryptojacking Campaign Exploits Driver to Boost Monero Mining

    A newly identified cryptojacking campaign spreads through pirated software installers, deploying system-level malware. The campaign uses a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

    Show sources
    Open in new tab
  2. 30.12.2025 12:46 1 articles · 1mo ago

    Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware

    Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute ValleyRAT (aka Winos 4.0). The phishing emails contain decoy PDFs purported to be from India's Income Tax Department. Opening the PDF attachment takes the recipient to the "ggwk[.]cc" domain, from where a ZIP file ("tax affairs.zip") is downloaded. The ZIP file contains a Nullsoft Scriptable Install system (NSIS) installer ("tax affairs.exe"), which leverages a legitimate executable associated with Thunder ("thunder.exe"), and a rogue DLL ("libexpat.dll") that's sideloaded by the binary. The DLL disables the Windows Update service and serves as a conduit for a Donut loader, performing various anti-analysis and anti-sandbox checks. The lander injects the final ValleyRAT payload into a hollowed "explorer.exe" process. ValleyRAT is designed to communicate with an external server and await further commands, implementing a plugin-oriented architecture for keylogging, credential harvesting, and defense evasion. Silver Fox has leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps. The bogus sites created by Silver Fox have been found to impersonate various popular applications, with infections dating back to July 2025. The findings coincide with a recent report from ReliaQuest, which attributed the hacking group to a false flag operation mimicking a Russian threat actor.

    Show sources
    Open in new tab
  3. 04.12.2025 19:25 2 articles · 2mo ago

    Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China

    Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China. The campaign leverages Microsoft Teams lures to trick users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0). The activity has been underway since November 2025. The malicious setup file is a ZIP archive named "MSTчamsSetup.zip" retrieved from an Alibaba Cloud URL. The malware scans running processes for binaries related to 360 Total Security, configures Microsoft Defender Antivirus exclusions, and writes a trojanized version of the Microsoft installer to the "AppData\Local\" path. The malware writes additional files including "AppData\Local\Profiler.json," "AppData\Roaming\Embarcadero\GPUCache2.xml," "AppData\Roaming\Embarcadero\GPUCache.xml," and "AppData\Roaming\Embarcadero\AutoRecoverDat.dll." The malware loads data from "Profiler.json" and "GPUcache.xml," and launches the malicious DLL into the memory of "rundll32.exe." The malware establishes a connection to an external server to fetch the final payload to facilitate remote control.

    Show sources
    Open in new tab
  4. 02.09.2025 11:39 4 articles · 5mo ago

    Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware

    The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. A newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

VoidLink Malware Framework Targets Cloud and Container Environments

VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware. A previously unknown threat actor tracked as UAT-9921 has been observed leveraging VoidLink in campaigns targeting the technology and financial services sectors. UAT-9921 has been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. The threat actor uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network. VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan. VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. The framework supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics. VoidLink comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly. VoidLink has an auditability feature and a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. There are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

Open in new tab

Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia with HoldingHands RAT

The Silver Fox threat group has expanded its Winos 4.0 attacks to target Japan and Malaysia using the HoldingHands RAT. This campaign involves phishing emails with malicious PDFs and exploits SEO poisoning to distribute malware. The group has been active since at least March 2024, targeting various sectors in China, Taiwan, Japan, and Malaysia. The malware employs sophisticated techniques to evade detection and maintain persistence on compromised systems. The HoldingHands RAT is designed to connect to a remote server, send host information, and execute commands from the attacker. It includes features to update the command-and-control (C2) address via a Windows Registry entry. The malware is equipped to capture sensitive information, run arbitrary commands, and download additional payloads. The group has also been linked to Operation Silk Lure, targeting Chinese fintech, cryptocurrency, and trading platform sectors with highly targeted phishing emails containing malicious .LNK files.

Open in new tab

Confucius Targets Pakistan with WooperStealer and Anondoor Malware

The threat actor Confucius has launched a new phishing campaign targeting Pakistan, deploying WooperStealer and Anondoor malware. The campaign has targeted government agencies, military organizations, defense contractors, and critical industries since at least December 2024. The attacks use spear-phishing and malicious documents to deliver malware that steals sensitive data and exfiltrates device information. Confucius has shifted from document-focused stealers to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. The group employs DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines to achieve persistence and evade detection. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

Open in new tab