Rising in mid-2025, a classy marketing campaign attributed to the Silver Fox APT has begun exploiting a beforehand unreported weak driver to compromise fashionable Home windows environments.
This marketing campaign leverages the WatchDog Antimalware driver (amsdk.sys, model 1.0.600), a Microsoft-signed part constructed on the Zemana Anti-Malware SDK.
Weak valid-signed WatchDog Antimalware Driver (Supply – Test Level)
By abusing its arbitrary course of termination functionality, menace actors bypass endpoint detection and response (EDR) and antivirus (AV) protections on totally patched Home windows 10 and 11 methods with out triggering signature-based defenses.
Preliminary phases of the assault contain deploying a self-contained loader that embeds a number of drivers and anti-analysis layers.
Contaminated machines obtain a loader binary that first performs checks towards digital machines, sandboxes, and identified evaluation environments.
As soon as these checks move, the loader drops two drivers—one legacy Zemana-based driver for compatibility with older methods, and the newer WatchDog Antimalware driver for contemporary targets—right into a newly created C:Program FilesRunTime listing.
Test Level researchers famous that each drivers are then registered as kernel companies: the legacy driver underneath ZAM.exe for Home windows 7, and amsdk.sys for Home windows 10/11.
The loader’s “Termaintor” service ensures persistence for the executed loader stub, whereas Amsdk_Service facilitates driver loading.
Following driver registration, the marketing campaign’s customized EDR/AV killer logic opens a deal with to the weak driver’s machine namespace (.amsdk) and points IOCTL calls to register the malicious course of and terminate protected safety service processes.
The termination routine reads from a Base64-encoded course of listing of over 190 entries—spanning fashionable antivirus and endpoint safety companies—and sends IOCTL_TERMINATE_PROCESS instructions by way of DeviceIoControl to eradicate working defenses.
Course of termination (Supply – Test Level)
By abusing the driving force’s lack of a FILE_DEVICE_SECURE_OPEN flag and lacking PP/PPL checks, Silver Fox achieves dependable AV evasion.
Test Level analysts recognized that after terminating safety processes, the loader decodes and injects a UPX-packed ValleyRAT downloader module into reminiscence.
This module connects to Chinese language-hosted C2 servers, decrypts configuration visitors utilizing a easy XOR cipher, and fetches the ultimate ValleyRAT backdoor payload.
ValleyRAT (“Winos”) gives full distant entry capabilities together with command execution and information exfiltration, confirming the marketing campaign’s attribution to Silver Fox.
Detection Evasion via Signed-Driver Manipulation
Though WatchDog launched a patched driver (wamsdk.sys, model 1.1.100) following disclosure, Silver Fox shortly tailored by flipping a single byte inside the unauthenticated attributes of the driving force’s signature timestamp.
This delicate modification preserved the Microsoft Authenticode signature whereas producing a brand new file hash, successfully bypassing hash-based blocklists with out altering signature validity.
The altered driver is then seamlessly loaded heading in the right direction methods, persevering with the exploitation cycle.
This system underscores a broader pattern: adversaries weaponizing authentic, signed drivers and manipulating timestamp countersigns to evade each static and behavior-based detection mechanisms.
Increase your SOC and assist your staff shield what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
