Silver Fox’s Cyber Rampage: How Hackers Exploit Vulnerable Drivers to Bypass Security

Listen to this Post

Featured Image

Introduction

In the fast-evolving world of cyber warfare, threat actors continue to discover new ways to bypass security barriers. The hacking group known as Silver Fox has raised alarms across the cybersecurity community by exploiting a previously unknown vulnerable driver tied to WatchDog Anti-Malware. Their tactics, centered on Bring Your Own Vulnerable Driver (BYOVD) attacks, showcase a sophisticated level of technical manipulation aimed at disabling antivirus protections and deploying advanced malware. This chilling campaign, first detected in mid-2025, highlights how hackers are pushing beyond traditional attack methods to exploit overlooked weaknesses within trusted systems.

The Full Story of Silver Fox’s Attack

The group Silver Fox weaponized a Windows kernel device driver named “amsdk.sys” (version 1.0.600), built on the Zemana Anti-Malware SDK. Signed by Microsoft but absent from official blocklists, the driver slipped under the radar of most security tools.

The attackers adopted a dual-driver strategy:

On Windows 7 systems, they relied on a known Zemana driver (zam.exe).
On Windows 10 and 11, they deployed the stealthier WatchDog driver.

The vulnerabilities inside this WatchDog driver were severe:

It could terminate protected processes without verification, effectively shutting down antivirus solutions.
It was prone to local privilege escalation (LPE), giving hackers deep system control.

Once defenses were neutralized, Silver Fox delivered ValleyRAT (also called Winos 4.0) — a remote access trojan (RAT) with capabilities for persistence, surveillance, and full system compromise.

The malware loader used in these attacks carried an arsenal of tools, including:

Anti-analysis checks (to evade sandboxes and VMs)

Two embedded drivers

Antivirus-killing functions

The ValleyRAT DLL downloader

Communication with C2 (command-and-control) servers ensured seamless deployment of backdoors onto infected machines.

Following disclosure, WatchDog patched the LPE flaw in version 1.1.100. However, hackers swiftly adapted by flipping a single byte in the driver’s unauthenticated timestamp, retaining the Microsoft signature but generating a new hash. This allowed them to bypass hash-based defenses, showcasing the agility of their campaign.

Beyond technical exploits, Silver Fox — also known as SwimSnake, The Great Thief of Valley, UTG-Q-1000, or Void Arachne — has expanded its operations. The group primarily targets Chinese-speaking victims through fake Chrome and Telegram installers, phishing emails, and trojanized AI tools like DeepSeek.

They employ creative lures such as:

SEO-boosted malicious downloads

Fake MSI installers mimicking WPS Office, Sogou AI, and Youdao
Social engineering on WeChat to trick users into giving away bank details

Researchers revealed the group is split into four sub-clusters:

  1. Finance Group – targets executives and financial staff with tax-related phishing.
  2. News and Romance Group – lures victims through fake media and relationship schemes.
  3. Design and Manufacturing Group – focuses on industrial espionage.
  4. Black Watering Hole Group – infects victims through compromised websites.

The Finance Group is especially notorious for seizing victims’ social media accounts and spreading phishing QR codes in group chats to drain bank funds. According to QiAnXin, Silver Fox has built a complete black-market ecosystem spanning espionage, malware control, and fraud.

What Undercode Say:

Silver Fox’s campaign exposes a critical blind spot in modern cybersecurity — the reliance on signed drivers as inherently trustworthy. The attackers brilliantly manipulated this assumption, turning Microsoft’s own signing process into a weapon.

Their strategy reveals several disturbing insights:

BYOVD as a primary weapon: Instead of searching for zero-days in software, they bring their own trusted yet flawed drivers, sidestepping traditional detection.
Adaptive malware development: By tweaking just one byte, they evaded updated defenses without invalidating Microsoft’s digital trust.
Financial motivation with technical sophistication: Unlike simple ransomware gangs, Silver Fox merges espionage and fraud, sustaining long-term revenue streams.

From a strategic lens, this campaign is a warning to enterprises worldwide. It demonstrates that:

Signature-based defenses alone are insufficient. Organizations must move toward behavior-based detection and exploit prevention.
Regional attacks have global implications. While Silver Fox mainly targets Chinese-speaking users, their techniques can — and likely will — be replicated elsewhere.
Cloud services are being abused as safe havens. By using Alibaba Cloud and Youdao Notes for malware hosting, the group bypassed reputation-based filters.

Analytically, Silver Fox stands out for combining psychological manipulation (phishing, fake apps) with deep technical weaponization (driver exploits, RAT delivery). This dual strength positions them as one of the most dangerous APT-like groups in Asia today.

If left unchecked, Silver Fox could inspire a wave of BYOVD copycats, potentially triggering a new cybercrime trend where hackers recycle overlooked signed drivers into attack tools. Their sophisticated infrastructure and organized sub-groups make them not just opportunistic hackers but a well-oiled cybercrime enterprise with international impact potential.

✅ Fact Checker Results

Silver Fox’s exploitation of WatchDog’s driver has been independently confirmed by Check Point and QiAnXin.
The patched driver (v1.1.100) addresses LPE but still allows arbitrary process termination.
Evidence strongly supports Silver Fox’s role in spreading ValleyRAT via fake apps and phishing campaigns.

🔮 Prediction

Silver Fox will likely escalate its attacks beyond China, testing BYOVD campaigns against Western enterprises. With proven success in bypassing Microsoft’s trust chain, the group could pioneer a new underground market where vulnerable signed drivers are traded as cyberweapons. Expect security vendors to respond by strengthening behavioral monitoring and expanding driver blocklists — but the arms race is far from over.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon