The security threat described involves an advanced persistent threat (APT) group known as Silver Fox exploiting a previously unknown vulnerability in a Microsoft-signed WatchDog Antimalware driver to evade endpoint protection on fully updated Windows systems. The attackers leveraged a dual-driver strategy to maintain compatibility across different Windows versions, enabling them to terminate protected processes that are typically guarded by endpoint detection and response (EDR) solutions. This exploitation of a signed but vulnerable driver is a sophisticated evasion technique, as the driver’s valid Microsoft signature allows it to bypass many security controls that rely on signature verification. After the vulnerability was disclosed and the vendor released a patched driver, the attackers adapted by modifying the driver to bypass blocklists while preserving its valid signature, demonstrating their agility and persistence. The final payload delivered by this campaign is ValleyRAT, a remote access trojan (RAT) known for stealthy operations and data exfiltration capabilities. The campaign highlights a growing trend in weaponizing signed vulnerable drivers (Bring Your Own Vulnerable Driver - BYOVD) to bypass security measures, including kernel-level protections, process termination prevention, and EDR solutions. The attack techniques include kernel exploitation, signature manipulation, process termination, and persistence mechanisms, as indicated by the associated MITRE ATT&CK techniques (e.g., T1218.011, T1055, T1562.002). This threat is particularly dangerous because it operates at the kernel level, undermining the integrity and availability of endpoint protection, and enabling attackers to maintain stealthy access to compromised systems.

For European organizations, this threat poses significant risks, especially for enterprises relying heavily on Windows-based infrastructure and endpoint protection solutions. The ability of Silver Fox to terminate protected processes and evade detection can lead to prolonged undetected intrusions, data theft, espionage, and disruption of critical services. Organizations in sectors such as finance, government, telecommunications, and critical infrastructure are particularly vulnerable due to the strategic value of their data and services. The use of a signed driver to bypass security controls complicates detection and response efforts, increasing the likelihood of successful compromise and lateral movement within networks. Additionally, the deployment of ValleyRAT as the final payload can facilitate remote control, data exfiltration, and further malware deployment, amplifying the potential damage. The campaign’s adaptability to patch releases and blocklists indicates a persistent threat that can continuously evolve, challenging traditional security postures. This can result in increased incident response costs, regulatory compliance risks (e.g., GDPR breaches), and reputational damage for affected European entities.

To mitigate this threat effectively, European organizations should implement a multi-layered approach beyond generic endpoint protection updates. First, deploy advanced driver control policies using Windows Defender Application Control (WDAC) or Device Guard to restrict the loading of unsigned or unapproved drivers, even if signed, by enforcing strict code integrity policies. Second, implement behavioral monitoring and anomaly detection at the kernel level to identify unusual process termination activities and driver manipulations indicative of BYOVD attacks. Third, maintain an up-to-date inventory of all drivers and monitor for unexpected changes or new driver installations. Fourth, leverage threat intelligence feeds and collaborate with vendors to quickly apply patches and blocklists, but also prepare for attacker adaptations by using heuristic and machine learning-based detection methods. Fifth, conduct regular threat hunting exercises focused on kernel-level anomalies and RAT indicators such as ValleyRAT. Finally, enforce least privilege principles and network segmentation to limit the lateral movement potential of compromised endpoints. Incident response plans should include procedures for kernel-level compromise scenarios and driver rollback capabilities.