02.09.2025
2 min
534
The Silver Fox hacking group (also known as SwimSnake and UTG-Q-1000) exploited a vulnerable Microsoft-signed WatchDog Anti-malware driver to disable security systems and deploy the ValleyRAT malware. The campaign was based on the Bring Your Own Vulnerable Driver (BYOVD) tactic, allowing attackers to bypass traditional security measures.
According to Check Point, the attacks used two drivers: the well-known Zemana for Windows 7 and the new amsdk.sys for Windows 10 and 11. The latter had a number of critical vulnerabilities, including the ability to terminate any processes without checking their status, and also provided local privilege escalation.
The hackers’ goal was to neutralize the protection in order to unhinderedly deliver ValleyRAT (Winos 4.0). This is a backdoor capable of providing remote control over the system, loading modules, and bypassing analysis. An all-in-one bootloader with built-in antivirus killers, anti-VM and anti-sandbox checks was used.
Despite the release of a patch (version 1.1.100) to mitigate the risks, Silver Fox quickly adapted: it was enough to change one byte in the driver to preserve the Microsoft signature and at the same time bypass blocklists based on hashes. This demonstrates the high technical flexibility of the group.
Silver Fox has been operating since the second half of 2022, mainly against Chinese-speaking users. They distribute malware via fake websites, Trojan installers, instant messengers and SEO promotion. Subgroups of the group, in particular the Finance Group, are focused on financial fraud: from phishing emails with tax or subsidy topics to hijacking victims’ social networks and distributing malicious QR codes in WeChat.
Silver Fox’s activities demonstrate a combination of espionage, data theft and financial fraud. The group’s structure includes several “clusters”—from the Black Watering Hole Group to the Design and Manufacturing Group—which indicates a high level of organization and business model of the criminal chain.
The Silver Fox campaign shows that attackers are adept at exploiting even Microsoft-signed drivers to bypass protection and deploy malware. This poses a new challenge for the industry: blocking hashes or known vulnerabilities is no longer enough. A multi-layered approach is needed, including behavioral analysis, driver monitoring, and strengthening verification mechanisms.
