Silver Fox Exploits Windows Drivers – Microsoft-Signed Driver – What Businesses Need to Know

There is a new wave of cyberattacks targeting Windows systems, using a stealthy technique that bypasses traditional security tools. A cybercrime group known as Silver Fox has weaponized a legitimate, Microsoft-signed driver to disable antivirus protections and deploy malware undetected. 

What’s Happening? 

Silver Fox is using a vulnerable driver (amsdk.sys) from WatchDog Anti-Malware, built on the Zemana SDK, to execute a BYOVD (Bring Your Own Vulnerable Driver) attack. This technique allows attackers to gain kernel-level access, bypassing security controls. 

• • BYOVD is a cyberattack technique where hackers intentionally install a legitimate driver that contains known vulnerabilities. These drivers are usually signed and trusted by the operating system. This makes it especially dangerous, as it bypasses many standard defenses and operates deep within system. 
  • Kernel-level access refers to the highest privilege level in an operating system like Windows, where code (e.g., drivers or core OS functions) runs in “kernel mode.” 

Once loaded in kernel mode, the driver allows attackers to: 

• • Terminate protected processes (e.g., stop antivirus like Windows Defender). 
  • Escalate privileges (e.g., from user to full system control). 
  • Enable “signature spoofing” or “process tampering” without alerts. 

Key Tactics Identified 

The campaign deployed ValleyRAT, a remote access trojan (RAT) capable of:  

• • Full system control  
  • Data exfiltration  
  • Anti-analysis techniques to avoid detection in sandbox or virtual environments 

Silver Fox also adapted: 

• • Signature Manipulation by flipping a single byte in the driver to bypass hash-based detection while keeping the Microsoft signature valid. 
  • All-in-One Malware Loaders: Embedding the driver with anti-analysis logic and EDR/AV killer modules 
  • Dual-driver strategy for compatibility across Windows versions: Targets older systems with a known vulnerable Zemana driver (zam.exe) and modern systems with the undocumented amsdk.sys, absent from Microsoft’s Vulnerable Driver Blocklist or LOLDrivers 

Why This Matters – Even If You’re Not Using WatchDog 

Trust Alone Is Not Security – Even Microsoft-signed drivers which are generally trusted by Windows systems can be exploited if they contain vulnerabilities. The real issue goes far beyond any single product: 

• • Any signed driver can be repurposed by attackers if it’s not actively monitored. 
  • Your organization may unknowingly allow vulnerable drivers due to gaps in update management or failure to enforce blocklists. 
  • BYOVD Is Rising Fast: The Bring Your Own Vulnerable Driver technique is increasingly used by ransomware groups and advanced threat actors. Attackers exploit legitimate but vulnerable drivers to gain deep access to systems, bypassing traditional security tools. 
  • Threat actors are now targeting the kernel layer, where traditional security tools have limited visibility and control. 

Even if your organization doesn’t use software like WatchDog, you may still be vulnerable to BYOVD attacks if your systems: 

• • Allow outdated or unverified drivers to run. 
  • Lack a clear process for monitoring and managing driver activity. 
  • Do not have security tools capable of detecting threats at the kernel level 

Strategic IT Investment Priorities  

Secure Your Business with a Comprehensive Cybersecurity Strategy from ITM 

In today’s digital landscape, every connected device can become a potential entry point for cyber threats. At ITM, we deliver proactive cybersecurity solutions designed to help you detect threats early, respond swiftly, and protect your systems at every level — from endpoints to core infrastructure. 

Contact ITM today to: 

• • Assess your current security posture and exposure. 
  • Build a tailored defense strategy aligned with your business needs. 
  • Ensure end-to-end protection across your entire IT environment. 

Security isn’t luck – it’s preparation. Let’s build it together.