Check Point Research has uncovered a new campaign tied to the Silver Fox APT group. The operation relies on signed but vulnerable Windows drivers to slip through security defenses and deliver ValleyRAT, a modular backdoor.
Two drivers are key to this operation, both built on the Zemana Anti-Malware SDK. One is old and already flagged and blocked on most systems, while the other is new, still trusted, and signed by Microsoft.
That signature means it loads without question, even on fully updated Windows 10 and 11 machines. Both drivers share the same ability: they can terminate protected processes, the very ones meant to guard against attack.
The loader is compact and carries everything it needs. It slips in through .rar archives or disguised DLLs. Once inside, it chooses the right driver for the operating system and clears away the defenses. After that, ValleyRAT is delivered.
The backdoor is versatile, running in memory, injected into existing processes, and communicates with servers hosted in China. It can steal data, execute commands, and watch its environment. To help with obfuscation, it checks for analysis tools, delaying its work if it suspects a sandbox is present. Cunningly, it waits until the coast is clear.
Silver Fox has revealed how quickly it is able to adapt. When Watchdog patched its driver, the group took the new version and changed a single byte in its digital timestamp. The alteration was so subtle, it didn’t break the Microsoft signature, so Windows continued to trust it. Yet the hash changed, which was enough to enable it to slip past blocklists that rely on hashes alone.
This is the edge attackers work on: a signed driver that looks safe, and a patch that looks complete. Yet both can be bent into weapons with little effort. Researchers confirmed the WatchDog driver carried multiple flaws, from local privilege escalation to raw disk access. The patch closed some holes but left others wide open, including the ability to kill processes used by security tools.
The malware targets security products common in China, and its infrastructure is also hosted there. Victims are spread across several regions, but the campaign’s design suggests its primary focus is close to home.
Check Point has noticed a pattern that goes beyond Silver Fox. More groups are turning to signed but vulnerable drivers. They know that Microsoft’s blocklist is updated only once or twice a year and that gaps exist. They also know defenders still place too much trust in a signature.
Closing that gap requires layered defenses. YARA rules can help identify malicious drivers, and manual updates to blocklists can add coverage. However, the most important shift is toward behavior-based detection, which looks past trust labels and focuses on what software actually does.
Silver Fox has shown how fragile trust can be and that a valid signature does not guarantee safety. Defenders need to watch how drivers behave, not just who signed them.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.