Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

Description

Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable driver to evade endpoint protection. The attackers used a Microsoft-signed WatchDog Antimalware driver to terminate protected processes on fully updated Windows systems. A dual-driver strategy ensured compatibility across Windows versions. Following disclosure, the vendor released a patched driver, but attackers quickly adapted by modifying it to bypass blocklists while preserving its valid signature. The campaign delivered ValleyRAT as the final payload, demonstrating sophisticated evasion techniques and highlighting the growing trend of weaponizing signed-but-vulnerable drivers to bypass security measures.