Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware

First reported

02.09.2025 11:39

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

Silver Fox, a threat actor, has been exploiting a vulnerable driver associated with WatchDog Anti-malware in a Bring Your Own Vulnerable Driver (BYOVD) attack to disable security solutions on compromised hosts. The driver, amsdk.sys (version 1.0.600), is a Microsoft-signed Windows kernel device driver built upon Zemana Anti-Malware SDK. The campaign, first observed in late May 2025, aims to deploy ValleyRAT (aka Winos 4.0) for remote access and control. The threat actor uses a dual-driver strategy, targeting Windows 7 with a known vulnerable Zemana driver and Windows 10/11 with the undetected WatchDog driver. The attacks employ an all-in-one loader with anti-analysis features and antivirus killer logic. The WatchDog driver has multiple vulnerabilities, including the ability to terminate arbitrary processes and local privilege escalation. The campaign has adapted to a patch released by WatchDog, bypassing signature-based defenses by altering a single byte in the driver. Silver Fox targets Chinese-speaking victims using fake websites and trojanized software, primarily distributing ValleyRAT. The group is highly active and organized, with multiple sub-clusters targeting different sectors, including finance and manufacturing.

Timeline

02.09.2025 11:39 📰 1 articles

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware
Silver Fox has been exploiting a vulnerable driver associated with WatchDog Anti-malware in a BYOVD attack to disable security solutions on compromised hosts. The driver, amsdk.sys (version 1.0.600), is a Microsoft-signed Windows kernel device driver built upon Zemana Anti-Malware SDK. The campaign, first observed in late May 2025, aims to deploy ValleyRAT for remote access and control. The threat actor uses a dual-driver strategy, targeting Windows 7 with a known vulnerable Zemana driver and Windows 10/11 with the undetected WatchDog driver. The attacks employ an all-in-one loader with anti-analysis features and antivirus killer logic. The WatchDog driver has multiple vulnerabilities, including the ability to terminate arbitrary processes and local privilege escalation. The campaign has adapted to a patch released by WatchDog, bypassing signature-based defenses by altering a single byte in the driver. Silver Fox targets Chinese-speaking victims using fake websites and trojanized software, primarily distributing ValleyRAT. The group is highly active and organized, with multiple sub-clusters targeting different sectors, including finance and manufacturing.
Show sources

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
Open in new tab

Information Snippets

The vulnerable driver, amsdk.sys (version 1.0.600), is a Microsoft-signed Windows kernel device driver built upon Zemana Anti-Malware SDK.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
The WatchDog driver has vulnerabilities allowing arbitrary process termination and local privilege escalation.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
The campaign uses a dual-driver strategy, targeting Windows 7 with a known vulnerable Zemana driver and Windows 10/11 with the WatchDog driver.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
The final payload is ValleyRAT (aka Winos 4.0), a remote access trojan.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
The attacks employ an all-in-one loader with anti-analysis features, antivirus killer logic, and a ValleyRAT DLL downloader.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
The WatchDog driver patch (version 1.1.100) addresses local privilege escalation but not the arbitrary process termination issue.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
Silver Fox has adapted to the patch by altering a single byte in the driver to bypass signature-based defenses.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
Silver Fox targets Chinese-speaking victims using fake websites and trojanized software, primarily distributing ValleyRAT.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
The group is highly active and organized, with multiple sub-clusters targeting different sectors, including finance and manufacturing.
First reported: 02.09.2025 11:39

📰 1 source, 1 article
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39