Silver Fox APT Exploits Signed Windows Driver to Deliver ValleyRAT

Check Point reports Silver Fox APT using a signed WatchDog driver flaw to disable Windows security and deliver ValleyRAT malware.

Check Point Research has identified that the Silver Fox APT group is running a campaign that uses a Microsoft-signed but vulnerable driver to disable security processes on Windows 10 and 11, making it easier to install malware known as ValleyRAT.

The vulnerable driver, named The WatchDog Antimalware driver, amsdk.sys version 1.0.600, had never been flagged by Microsoft’s Vulnerable Driver Blocklist or by community-driven efforts such as Living Off The Land Drivers (LOLDrivers). Silver Fox paired this driver with another older Zemana driver already known to be risky, allowing its loader to work across both modern and legacy Windows systems.

The loader itself is a self-contained package that combines anti-analysis checks, embedded drivers, process-killing logic, and a ValleyRAT downloader. Once deployed, it selects the right driver depending on the system version, installs itself with persistence, and goes straight for security software processes. Check Point found that the malware was configured to terminate nearly 200 processes, many linked to antivirus products commonly used in Asia.

What’s worse, even when WatchDog released a patch, the attackers modified the new driver by “flipping a single byte” in the unauthenticated timestamp section of its Microsoft Authenticode signature. This change created a fresh file hash, enough to bypass hash-based blocklists, but did not break the valid signature. In other words, Windows still treated the driver as trusted.

The final payload was ValleyRAT, also known as Winos, a modular backdoor with spying and command execution features. Infrastructure for command-and-control was traced to servers in China, showing a connection to Silver Fox. Victims appear to be globally distributed, though targeting leaned toward organizations in Asia, particularly China.

The vulnerable and valid-signed WatchDog Antimalware Driver.

Check Point’s researchers described multiple vulnerabilities in the WatchDog driver, from arbitrary process termination to local privilege escalation and raw disk access. The most serious flaw came from the lack of proper access controls on the device namespace, which allowed even non-privileged users to abuse it once installed.

This campaign shows the danger of trusting signed drivers without additional checks. Microsoft’s blocklist is updated infrequently, sometimes only once or twice a year, which creates windows of opportunity for attackers.

Check Point’s full report includes technical analysis, proof-of-concept code, and a detailed appendix of indicators of compromise.