Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Gap in Microsoft Blocklist Exploited, ValleyRAT Runs Undetected

A Chinese nation-state cyber group is exploiting a Microsoft-signed driver to shut down Windows security protections.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Researchers at Check Point said the threat actor tracked as Silver Fox is abusing amsdk.sys
, a WatchDog anti-malware driver, to terminate protected processes on Windows 10 and 11. The driver, version 1.0.600, is not on Microsoft’s official Vulnerable Driver Blocklist and was not catalogued by community trackers such as LOLDrivers, a volunteer effort to catalog vulnerable, malicious and known malicious Windows drivers. That blind spot allowed the group to exploit it without raising alerts.
The attackers deployed the driver through a custom loader that also contained a vulnerable driver for Zemana antrivirus software and a ValleyRAT downloader. The researchers said the loader runs checks for virtual machines and sandboxes before execution. If those checks pass, the loader installs the WatchDog driver and disables Windows protections such as protected process light, or PPL.
PPL is a Windows security feature introduced in Windows 8.1 and is meant to keep critical processes, such as antivirus, endpoint protection and system services, from being terminated or tampered with by untrusted code.
Researchers said the method allows Silver Fox to maintain persistence while evading detection by endpoint defenses. Windows automatically trusts Microsoft-signed code even when vulnerable, allowing adversaries to exploit that trust to escalate privileges and evade monitoring.
ValleyRAT is part of Silver Fox’s wider toolkit. ValleyRAT provides attackers remote control over infected systems and supports long-term espionage and intrusion campaigns. In earlier operations, Silver Fox was linked to the use of Gh0st RAT, another remote access Trojan with overlapping infrastructure and targeting.
Following disclosure, Microsoft issued a patched driver named wamsdk.sys
, version 1.1.100. “Although we promptly reported that the patch did not fully mitigate the arbitrary process termination issue, the attackers quickly adapted and incorporated a modified version of the patched driver into the ongoing campaign,” researchers said.
The core weakness that Silver Fox relied on remained exploitable even after patch. “The attackers altered a single byte in the unauthenticated timestamp field of the driver’s Microsoft Authenticode signature,” the researchers said. This change was enough to bypass defenses that rely on hash-based blocklists. The altered file no longer matched known signatures, but still appeared legitimate to Windows.
The researchers urged stronger validation of driver behavior and improvements to blocklists to prevent vulnerable signed drivers from being exploited.