Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
Essential information
- Published
- 28/08/2025 13:26
- Modified
- 28/08/2025 13:45
- Tags
- 2025-08-28 byovd driver abuse edr evasion kernel exploitation process-termination signature manipulation valleyrat vulnerable driver
- Related entities
- 16 observables, 1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 1 others
Description
Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable driver to evade endpoint protection. The attackers used a Microsoft-signed WatchDog Antimalware driver to terminate protected processes on fully updated Windows systems. A dual-driver strategy ensured compatibility across Windows versions. Following disclosure, the vendor released a patched driver, but attackers quickly adapted by modifying it to bypass blocklists while preserving its valid signature. The campaign delivered ValleyRAT as the final payload, demonstrating sophisticated evasion techniques and highlighting the growing trend of weaponizing signed-but-vulnerable drivers to bypass security measures.