Analysis

A highly organized and financially motivated threat actor, "Silver Fox," is leveraging a previously unknown, Microsoft (MSFT)-signed vulnerable driver in a sophisticated Bring Your Own Vulnerable Driver (BYOVD) campaign, as detailed by Check Point (CHKP). The attack weaponizes the "amsdk.sys" driver from WatchDog Anti-malware to neutralize endpoint security solutions, enabling the deployment of the ValleyRAT remote access trojan. This particular vulnerability represents a significant blind spot for defense mechanisms, as the driver was not listed on Microsoft's vulnerable driver blocklist. The threat actor has demonstrated advanced adaptability by circumventing patches through a single-byte modification that preserves the valid MSFT signature while changing the file hash, effectively bypassing hash-based blocklists. The campaign's primary targets are Chinese-speaking entities, with a dedicated "Finance Group" focusing on financial personnel to steal sensitive data and execute fraud. The abuse of legitimate platforms, including Alibaba's (BABA) cloud services and Youdao's (DAO) software for payload delivery, underscores the pervasive nature of the threat and creates reputational risk for these service providers. This incident highlights an escalation in cybercriminal tactics, posing a direct threat to corporate security postures and the integrity of the software supply chain, especially for firms operating in or exposed to the APAC financial sector.