The notorious Russian state-sponsored hacking unit, also known as Fancy Bear, is abusing Microsoft Outlook for covert data exfiltration.

Russia's APT28 Targets Microsoft Outlook With 'NotDoor' Malware

Support for Windows 10 is ending soon which means you wont get vital security updates. Here's why you should upgrade now.

I know many of us love(d) Windows XP and Windows 7 almost as much as we dislike Windows 10 and 11, but if you want to stay secure on Windows, the time to bite the bullet is closing in fast.

Support for Windows 10 will end on October 14, 2025, which means the only Windows version that will continue to receive updates after that date is Windows 11.

Using an out‑of‑date Windows version leaves you exposed to threats designed for yesterday’s flaws. Each Windows update patches known vulnerabilities, some of which might already be used by cybercriminals, so closing those gaps as soon as possible is important. When official support ends, so do the security updates that help keep criminals out.

Through its updates, Microsoft also steadily adds new protection features, like better firewalls and improved warnings, which will never make it to older versions of Windows.

Security software is built for the latest, safest codebase. While programs may support older Windows versions, you may be missing out on some of the options, simply because the older Windows version does not support them.

Other programs may also be unavailable if you are sticking to an old Windows version.

**How to upgrade**

If you’re on Windows 10 than the upgrade to the equivalent version of Windows 11 is free, but that only works if your computer meets the minimum system specifications. If not you’ll either need another computer or you can explore other options.

You can check if your Windows 10 computer is eligible to upgrade for free to Windows 11 by selecting the Start button, then going to **Settings** > **Update & Security** **\> Windows Update**. If your system isn’t compatible with Windows 11, there’ll be a big box letting you know, along with the option to grab the Microsoft PC Health Check App. This will explain in more detail why you may not be able to meet system requirements for Windows 11.

Before upgrading or switching, always do a complete backup of your system and all personal files. If something goes wrong, you’ll be glad you took this extra step.

Windows does retain your old operating system (OS) for up to 10 days after upgrading, letting you revert if problems pop up. After that period, rolling back means a clean install and restoring from backup.

At Malwarebytes, we want you to stay safe and secure, regardless of which operating system you use. However, to ensure you receive the full protection and latest features we offer, we strongly recommend keeping your system up to date.

Make sure to have a plan ready before October 14, 2025 and be aware that doing nothing is also a choice, even though it may not be the best one.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Why you should upgrade to Windows 11 now, and how to do it 

A highly sophisticated email scam is targeting PayPal users with the subject line of "Set up your account profile."

_A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena._

A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.”

We decided to see what the scammers are after. First thing to do is to look at the headers:

The sender address service@paypal.com (sometimes the emails come from service@paypal.co.uk) looks legitimate because it is, but the scammers have spoofed the address.

Basically, when someone sends an email, their computer tells the email system what address to show as the sender. Scammers take advantage of this by using special software or programs that let them type in any “From” address they want. This technique is called spoofing. The scammer sends their email through the internet, and since most email systems aren’t strict about checking this information, the fake sender address is displayed just like a real one would be.

So it’s hard for the everyday user to tell if the email has been spoofed or not.

There are other signs that the email might be a scam though. There is the unusual recipient address, which is nothing like the one of my co-worker. Rather than targeting one individual, scammers set up a distribution list (often using Microsoft 365/Google test domains) with their own domain or, in this case, a compromised one. This allows them to send bulk phishing emails while masking their intent, but does mean that recipients see an unfamiliar address, e.g. {somebody}@{unknow-domain}.test-google-a.com, instead of their own.

The “.test-google-a.com” part of the address refers to a domain often used in testing or in cloud setups through Google Workspace, but in the context of this scam email, it’s a strong indicator of malicious activity or advanced phishing techniques rather than official Google practice. So, that’s red flag #1.

When looking at the email itself, the subject line has nothing to do with what the email is asking the target to do. That’s red flag #2.

> “**Set up your PayPal account profile**  
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.  
> Your user ID: Receipt43535e  
> Use this link to finish setting up your profile for this account. The link will expire in 24 hours.”

The layout of the email looks convincing enough, likely copied from an actual PayPal email.

The content however is typical for a phishing email:

*   Urgency: The link will expire in 24 hours.
*   Amount: Over $900 dollars to grab your attention
*   Crypto wallet: most people have only a vague notion of how crypto wallets work, so they don’t see the lie immediately. And Kraken.com is a crypto trading platform, so there is no discrepancy there.
*   The phone number listed is known by the Better Business Bureau as related to this type of scam
*   The recipient is not addressed by name in the email. Legitimate PayPal emails will always address you by your full name or business name, never generic greetings like “Dear Customer” or “Dear User”, or none at all as in this example. Red flag #3, 4, 5, 6, and 7.

The language used in the email is not perfect, but also not bad enough to stand out like a sore thumb. We have discussed in the past how AI-supported spear phishing fools more than 50% of targets, so looking for spelling errors is often not helpful these days.

But now comes the part which showcases the sophistication level of this scam. The link the button in the email points to, actually goes to PayPal.

However, the effect is different from what the target of the phishing email would expect. They are not going to set up a profile nor dispute a payment.

By clicking the link in the email, the target starts the routine to add a secondary user to their PayPal account. The danger here is that a secondary user can issue payments. In other words, the scammer would be able to clean out your PayPal account.

PayPal has over 434 million active users so for phishers that’s a large target audience. To make their attacks more targeted, some groups of phishers will buy or steal large databases of email addresses that are associated with PayPal accounts or which have previously interacted with PayPal services.

**How to stay safe**

As far as we could determine this campaign has been running for a month or more. Here are some tips to help you avoid being caught out:

*   Look out for the red flags above.
*   Always search phone numbers and email addresses to look for associations with known scams.
*   Go directly to PayPal.com to see if there are any messages for your account.
*   Enable two-factor authentication (2FA) to add an extra layer of security to your PayPal account and help prevent scammers getting in.
*   Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 PayPal users targeted in account profile scam 

Passkeys were built to enable a password-free future. Here's what they are and how you can start using them.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Passwords suck. They're hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here's everything you need to know about using them.

_Updated September 2: We've added a few details on about restoring passkeys and mentioned non-biometric authentication options._

Passkeys offer a way of confirming you are who you say you are without remembering a long, complicated password, and in a manner that's resistant to common attacks on passwords like phishing and dictionary attacks.

“Passkeys are built to replace passwords and outdated forms of two-factor authentication entirely,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED. They represent a rare step forward in cybersecurity; one that’s not only easier to use than previous methods but also safer.

Conceptually, passkeys can come in many forms, but you’ll most commonly interact with them on a device you own. For example, imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified. You can use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username.

Passkeys end up being safer and more convenient than passwords because they work in a fundamentally different way. Passwords are what you’d call a “shared secret” in the world of cybersecurity. You know the secret, and so does the service you’re signing in to. The problem is that you have to remember that secret, and you aren’t fully in control of it, as you have to share that secret with whatever service you’re using. A data breach and a little decryption time are all that's needed to end up with a compromised account, and you didn't even do anything wrong.

Passkeys use public-key cryptography. Instead of matching a shared secret, public-key cryptography works by matching a pair of keys—a public key that anyone can see, and a private key that only you have access to. It’s safer because only you have access to your private key, and it’s easier because that key is bound to some device you own and usually secured with biometrics.

In the event your device is lost or stolen, you can restore your passkeys using the account you created it with. For instance, Google allows you to store passkeys in the Google Password Manager and sync them across your devices. Windows and iCloud Keychain only work on their respective operating systems, but they're tied to your Microsoft and Apple accounts, respectively.

**Are Passkeys Safe?**

Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything.

On the device where you created the passkey, you'll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.

Although biometric authentication is how you'll typically interact with passkeys on a mobile device, it's not a requirement. On Windows, for example, you need to authenticate with Windows Hello, which can use your device's PIN. On Android, you can use a pin or pattern.

With a password, there’s a ton of room for an attacker to potentially steal your password. Data breaches might expose your password, and even if it’s encrypted, it can be cracked. Phishing schemes are an easy vector of attack for hackers looking to steal passwords. And, if you’re using a service with spotty security practices, you could have a password exposed as plaintext in a breach; there are dozens and dozens of examples of this happening before.

**Passkeys vs. 2FA and MFA**

Passkeys are tricky because they fly in the face of security conventions that have been around for years—namely, two-factor (2FA) or multifactor authentication (MFA). Although you don’t need to plug in a code from a text or copy something over from an authenticator app, passkeys inherently use multifactor authentication. It just happens so fast that it’s easy to miss.

MFA is about adding additional layers of protection beyond your password. Instead of just your password, you need it and a code texted to you, for example. Passkeys already work that way. You need to match the public-private key pair, but you also need to authenticate that you have access to that private key. It’s not “something you know and something you own,” as 2FA is normally described, but it’s still two layers of authentication.

Here's how Shikiar describes it: “When you sign in, the service issues a cryptographic challenge that can only be answered with the private key on your device, verified by something you have (like your phone or laptop) and often something you are (like a biometric). The result is a phishing-resistant login with no reusable credentials to steal.”

**Devices and Browsers That Support Passkeys**

Passkeys are broadly integrated at an operating system level. If you’re using an OS that doesn’t natively support passkeys—i.e., Linux—you can still use them. However, you’ll need to use another device, like your phone, to scan a QR code and authenticate yourself, or a third-party password manager.

Here are the operating systems that fully support passkeys:

*   Android 9 or newer
*   iOS 16 or newer
*   macOS 13 (Ventura) or newer
*   Windows 10/11 23H2 or newer

Each one of these operating systems supports passkeys for native apps, as well as in your browser. Chromium supports passkeys, which covers the vast majority of browsers available, including Brave, Opera, Vivaldi, and Google Chrome. The major non-Chromium browser, Mozilla Firefox, also supports passkeys on version 122 or newer.

**How to Create and Store Passkeys**

To use passkeys, you need to store them somewhere. The major operating systems that support passkeys already include a way to store them, but they aren’t created equally.

Windows 10 and Windows 11

You need to set up Windows Hello to use passkeys on Windows 10 or Windows 11. You might have set it up during installation, but if not, you can enable it in the **Settings** app by clicking **Accounts > Sign-in options**. Whenever you want to use a passkey, you’ll need to authenticate with Windows Hello, be it with your face, fingerprint, or PIN.

Windows 10 or 11, version 23H2 or later, will prompt you to use a passkey whenever you attempt to sign in to a supported service on a supported browser (or through a native Windows app). Unlike other operating systems, these passkeys aren’t synced across your devices. They only work on your Windows device.

Both macOS and iOS store passkeys on your iCloud Keychain, so you’ll need to turn your Keychain on if it’s not already enabled. You can turn it on in the **Settings** app by following **Apple ID > iCloud > Passwords and Keychain**. You’ll need to enable 2FA for your Apple ID to use iCloud Keychain.

Similar to Windows, you’ll be prompted to create a passkey whenever you create a new account with a service that supports passkeys. If you want to add a passkey to an already created account, you’ll have to do so through that application’s settings. Unlike Windows, these passkeys work across devices, assuming you have access to your iCloud Keychain.

In newer versions of macOS (version 15 and later), it’s much easier to create and manage passkeys through the dedicated Passwords app.

iOS follows the same principles as macOS when it comes to Passkeys. They’re stored in your iCloud Keychain and synced across your devices. In iOS 18 and newer, you can manage passkeys in the dedicated Passwords app, and in older versions, you can find them in your settings.

iOS via Jacob Roach

iOS via Jacob Roach

Android 9 and newer versions support passkeys, but in different forms. By default, passkeys in Android will use the Google Password Manager, which is tied to your Google Account and syncs across your devices. On Android 14 and newer, you can choose to store your passkeys elsewhere, such as in a third-party password manager.

Passkeys in a Password Manager

Chrome via Jacob Roach

If you want all your passkeys on all your devices, operating system be damned, you need a password manager. Most of the best password managers support passkeys, allowing you to store and sync them on nearly any device. I personally use 1Password, but services like NordPass, Bitwarden, and Dashlane also support passkeys. You can create and store passkeys with a password manager on Android and iOS.

Keep your logins locked down with our favorite password management apps for PC, Mac, Android, iPhone, and web browsers.

**Apps That Support Passkeys**

There are only a few places where you can store and sync passkeys, but plenty of services support passkeys for signing in. The usual suspects include Microsoft, Adobe, Amazon, Google, and Apple, but there are still many websites and apps that don’t support passkeys.

You can find a handful of directories that claim to hold a complete list of apps that support passkeys with a quick Google search. 1Password maintains one directory, as do a couple of B2B services, including a directory from Hanko and another from OwnID. These aren’t complete lists. Meta apps like Facebook and Instagram aren’t listed, for example, despite adding support for passkeys in June 2025.

The best directory I’ve come across is from a nonprofit called 2factorauth in Sweden. It’s hosted on GitHub, updated constantly, and critically, maintained by the community. It’s the most up-to-date I’ve found, and apps are even organized into categories so you can, for instance, pick a VPN service that supports passkeys.

**Passkeys Will (Eventually) Replace Passwords**

Passkeys were built to replace passwords, but we’re in the middle of a long, arduous transition to get there. It requires every app, device, and operating system to adopt a new standard of authentication and ditch a model we've been using for decades throughout our entire digital lives.

The inflection point is well underway, though. With major services adopting passkeys, it’s possible to use them across your most important accounts. If nothing else, it’s worth using passkeys on accounts that are connected to others, such as your Google or Facebook account if you use social sign-on features.

Despite offering clear security advantages, passkeys aren't a (excuse the pun) turnkey solution for better security. As Shikiar puts it, “Passkeys secure the front door, but organizations still need to harden the entire identity journey, ranging from onboarding and recovery to session management.”

**_Power up with unlimited access to_ WIRED_._** _Get best-in-class reporting and exclusive subscriber content that's too important to ignore. Subscribe Today._

What Is a Passkey? Here’s How to Set Up and Use Them (2025)

An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.
The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice.
"Emails were sent to

Data Breach / Cyber Espionage

An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.

The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as **Homeland Justice**.

"Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication," the company said. "Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension."

The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to "Enable Content" in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload.

The email messages, per Dream, were sent to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, suggesting that the activity cast a wide phishing net. European embassies and African organizations are said to have been the most heavily targeted.

The digital missives were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities to give them an extra layer of credibility. At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris (\*@fm.gov.om).

"The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution," Dream said.

The end goal of the attacks is to deploy using the VBA macro an executable that can establish persistence, contact a command-and-control (C2) server, and harvest system information.

Cybersecurity company ClearSky, which also detailed some aspects of the campaign late last month, said the phishing emails were sent to multiple ministries of foreign affairs.

"Similar obfuscation techniques were used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania," it said in a post on X. "We assess with moderate confidence that this activity is linked to the same Iranian threat actors."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats

The Confidential Clusters project integrates confidential computing technology into Kubernetes clusters.  It's an end-to-end solution that provides data confidentiality on cloud platforms by isolating a cluster from its underlying infrastructure. In a confidential cluster, all nodes run on top of confidential virtual machines (cVM). Before a node can join the cluster and access secrets, the platform and environment's authenticity are verified through remote attestation. This process involves communication with a trusted remote server.Confidential Clusters enables you to use Red Hat OpenShift,

The Confidential Clusters project integrates confidential computing technology into Kubernetes clusters.  It's an end-to-end solution that provides data confidentiality on cloud platforms by isolating a cluster from its underlying infrastructure. In a confidential cluster, all nodes run on top of confidential virtual machines (cVM). Before a node can join the cluster and access secrets, the platform and environment's authenticity are verified through remote attestation. This process involves communication with a trusted remote server.

Confidential Clusters enables you to use Red Hat OpenShift, a trusted platform to develop, modernize, and deploy applications at scale and leverage the convenience and flexibility of the cloud services without compromising on data security. This is critical for industries such as financial services, health care, and government that need to adhere to the regulatory requirements such as the European Digital Operational Resiliency Act (DORA). 

  
The general availability of OpenShift confidential nodes on cVM is now offered with AMD SEV-SNP and Intel TDX integration on Google Cloud Platform (GCP), as well as with AMD SEV-SNP on Azure in OpenShift version 4.19. Support for Intel TDX on Azure will be available in version 4.20 and above. Additionally, the integration of remote attestation is currently under development and will be included in future OpenShift releases.

It’s a complex technology, but that doesn't mean it's complex to set up. Here are three articles to get you started. This is a rapidly developing topic, so stay tuned for more article in the future.

**Running Red Hat OpenShift clusters on confidential nodes**

If you're new to confidential computing, then read this introductory article for an explanation of all the most important concepts. Learn about common use cases for confidential clusters, including digital sovereignty in industries like government and finance and secure cloud bursting, for scaling into the cloud for intensive workloads while maintaining hardware-level isolation. If you're looking for specifications about how the components fit together, then the graphs and illustrations in this article are particularly useful to help you visualize what needs to be in place when implementing confidential clusters.

Read the article.

**How to set up OpenShift confidential clusters on Microsoft Azure **

This guide explains how to deploy a self-managed Red Hat OpenShift Container Platform cluster on Microsoft Azure confidential virtual machines. It assumes familiarity with confidential computing and OpenShift, and focuses on a development or experimental setup rather than production. It guides you through the process of downloading the Red Hat OpenShift client and installer, obtaining a pull secret, and creating a Service Principal in Azure with the Contributor and User Access Administrator roles to ensure that it has the correct permissions to provision resources. In other words, it's everything you need to get started on Azure with Red Hat OpenShift and confidential clusters.

Read the full article.

**How to install OpenShift with confidential nodes on Google Cloud**

The article guides you through installing a Red Hat OpenShift cluster with confidential nodes on Google Cloud, using either AMD SEV-SNP or Intel TDX-enabled confidential virtual machines to provide memory encryption and isolation. It demonstrates how to generate an SSH key for encrypted access, how to obtain a pull secret, and how to configure your local environment for the installation process.

In the configuration file, you can assign confidential machine types and appropriate settings (such as secure boot, type, and the confidential compute mode) for all cluster nodes, ensuring your workloads are shielded from external actors and even the infrastructure provider. The article shows you how to verify a node's confidentiality by inspecting system logs for AMD SEV-SNP or Intel TDX features, and then shows you how to deploy and destroy a cluster.

Read the article.

**Try confidential clusters**

Whether or not you work in an industry that mandates confidentiality, the need for usable and transparent encryption is important. Confidential clusters gives you the confidence that your data is encrypted even while it's in use on the cloud. Now is a great time to learn more about it.

Learn about confidential clusters

A group linked to Russian intelligence services redirected victims to fake Cloudflare verification pages and exploited Microsoft's device code authentication flow.

Amazon Stymies APT29 Credential Theft Campaign

In this type of misconfiguration, cyberattackers could use exposed secrets to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments.

JSON Config File Leaks Azure ActiveDirectory Credentials

Check Point reports Silver Fox APT using a signed WatchDog driver flaw to disable Windows security and deliver…

Check Point reports Silver Fox APT using a signed WatchDog driver flaw to disable Windows security and deliver ValleyRAT malware.

Check Point Research has identified that the Silver Fox APT group is running a campaign that uses a Microsoft-signed but vulnerable driver to disable security processes on Windows 10 and 11, making it easier to install malware known as ValleyRAT.

The vulnerable driver, named The WatchDog Antimalware driver, amsdk.sys version 1.0.600, had never been flagged by Microsoft’s Vulnerable Driver Blocklist or by community-driven efforts such as Living Off The Land Drivers (LOLDrivers). Silver Fox paired this driver with another older Zemana driver already known to be risky, allowing its loader to work across both modern and legacy Windows systems.

The loader itself is a self-contained package that combines anti-analysis checks, embedded drivers, process-killing logic, and a ValleyRAT downloader. Once deployed, it selects the right driver depending on the system version, installs itself with persistence, and goes straight for security software processes. Check Point found that the malware was configured to terminate nearly 200 processes, many linked to antivirus products commonly used in Asia.

What’s worse, even when WatchDog released a patch, the attackers modified the new driver by “flipping a single byte” in the unauthenticated timestamp section of its Microsoft Authenticode signature. This change created a fresh file hash, enough to bypass hash-based blocklists, but did not break the valid signature. In other words, Windows still treated the driver as trusted.

The final payload was ValleyRAT, also known as Winos, a modular backdoor with spying and command execution features. Infrastructure for command-and-control was traced to servers in China, showing a connection to Silver Fox. Victims appear to be globally distributed, though targeting leaned toward organizations in Asia, particularly China.

The vulnerable and valid-signed WatchDog Antimalware Driver.

Check Point’s researchers described multiple vulnerabilities in the WatchDog driver, from arbitrary process termination to local privilege escalation and raw disk access. The most serious flaw came from the lack of proper access controls on the device namespace, which allowed even non-privileged users to abuse it once installed.

This campaign shows the danger of trusting signed drivers without additional checks. Microsoft’s blocklist is updated infrequently, sometimes only once or twice a year, which creates windows of opportunity for attackers.

Check Point’s full report includes technical analysis, proof-of-concept code, and a detailed appendix of indicators of compromise.

Silver Fox APT Exploits Signed Windows Driver to Deliver ValleyRAT

The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.
The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver

The threat actor known as **Silver Fox** has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.

The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver that's assessed to be built upon Zemana Anti-Malware SDK.

"This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers," Check Point said in an analysis.

The attack is characterized by a dual-driver strategy, where a known vulnerable Zemana driver ("zam.exe") is used for Windows 7 machines, and the undetected WatchDog driver for systems that run on Windows 10 or 11.

The WatchDog Anti-malware driver has been found to contain multiple vulnerabilities, the first and foremost being the ability to terminate arbitrary processes without verifying whether the process is running as protected (PP/PPL). It's also susceptible to local privilege escalation, allowing an attacker to gain unrestricted access to the driver's device.

The end goal of the campaign, first spotted by Check Point in late May 2025, is to leverage these vulnerable drivers to neutralize endpoint protection products, creating a clear path for malware deployment and persistence without triggering signature-based defenses.

As observed before, the campaign is designed to deliver ValleyRAT (aka Winos 4.0) as the final payload, providing remote access and control capabilities to the threat actor. The cybersecurity company said the attacks employ an all-in-one loader, encapsulating anti-analysis features, two embedded drivers, antivirus killer logic, and the ValleyRAT DLL downloader in one binary.

"Upon execution, the sample performs a few common anti-analysis checks, such as Anti-VM (detection of virtual environments), Anti-Sandbox (detection of execution within a sandbox), hypervisor detection, and others," Check Point said. "If any of these checks fail, the execution is aborted, and a fake system error message is displayed."

The downloader is designed to communicate with a command-and-control (C2) server to fetch the modular ValleyRAT backdoor onto the infected machine.

Following responsible disclosure, Watchdog has released a patch (version 1.1.100) to address the LPE risk by enforcing a strong Discretionary Access Control List (DACL), while not plugging the arbitrary process termination issue. This, in turn, has had the side effect of causing the attackers to swiftly adapt and incorporate the modified version by altering just a single byte without invalidating Microsoft's signature.

"By flipping a single byte in the unauthenticated timestamp field, they preserved the driver's valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists," Check Point noted. "This subtle yet efficient evasion technique mirrors patterns seen in earlier campaigns."

"This campaign demonstrates how threat actors are moving beyond known weaknesses to weaponize unknown, signed drivers—a blind spot for many defense mechanisms. The exploitation of a Microsoft-signed, previously unclassified vulnerable driver, combined with evasive techniques such as signature manipulation, represents a sophisticated and evolving threat."

Silver Fox, also called SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, is assessed to be highly active since early last year, primarily targeting Chinese-speaking victims using fake websites masquerading as Google Chrome, Telegram, and artificial intelligence (AI)-powered tools like DeepSeek to distribute remote access trojans like ValleyRAT.

According to Chinese cybersecurity vendor Antiy, the hacking group is believed to have been around since the second half of 2022, targeting domestic users and companies with an attempt to steal secrets and defraud them.

"The cybercriminal group mainly spreads malicious files through instant messaging software (WeChat, Enterprise WeChat, etc. ), search engine SEO promotion, phishing emails, etc.," the company said. "The 'SwimSnake' cybercriminal group is still frequently updating malware and AV evasion methods."

The attacks employ trojanized versions of open-source software, malicious programs built using the Qt framework, or MSI installers disguised as Youdao, Sogou AI, WPS Office, and DeepSeek to serve Valley RAT, including its online module that can capture screenshots of WeChat and online banks.

The development comes as QiAnXin also detailed a separate campaign mounted by the "Finance Group" within Silver Fox that targets financial personnel and managers of enterprises and institutions, aiming to plunder sensitive financial information or directly profit through fraud.

These attacks leverage phishing lures related to tax audits, electronic invoices, subsidy announcements, and personnel transfers to deceive users into running remote access trojans, while relying on legitimate cloud services such as Alibaba Cloud OSS and Youdao Cloud Notes to host malicious payloads in an attempt to sidestep detection.

The Finance Group is one of the four sub-clusters part of Silver Fox, the other three being the News and Romance Group, the Design and Manufacturing Group, and the Black Watering Hole Group.

Interestingly, after the Finance Group gains control of a victim's computer through methods like watering hole attacks and phishing, they take over the victim's social media accounts and leverage them to send phishing QR codes to various WeChat group chats with the goal of harvesting bank account numbers and passwords from group members, ultimately draining funds from their bank accounts for profit.

"UTG-Q-1000 is one of the most active and aggressive cybercrime groups in China in recent years. Their operations are highly organized, technically sophisticated, and financially motivated," QiAnXin said. "They've established a complete black-market profit chain involving: espionage (data theft), remote control via malware, and financial fraud and phishing."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Tag

#microsoft