Prevent undetectable malware and 0-day exploits with AppGuard!

Silver Fox Attack Exposes Limits of “Detect & Respond” Security

Tony Chiappetta
by Tony Chiappetta
October 02, 2025

On September 2, 2025, The Hacker News reported that the threat actor known as Silver Fox exploited a Microsoft-signed WatchDog driver to install the remote access trojan ValleyRAT—bypassing endpoint defenses by leveraging a legitimate, signed driver in a “Bring Your Own Vulnerable Driver” (BYOVD) attack. The Hacker News

This campaign highlights a sobering reality: attackers are increasingly weaponizing signed code and vulnerable drivers to neutralize defenses before malware ever executes. Even patched versions of the driver remain useful to the attackers—with one byte change used to preserve Microsoft’s signature while evading blocklists.

In this post, we’ll unpack what lessons business owners should heed, explain why the traditional “detect & respond” paradigm is no longer enough, and advocate for adoption of AppGuard, a mature, proven solution built around isolation and containment. If you lead IT or security for a business, this is a conversation worth having.

The Silver Fox campaign: What went wrong (or rather, what goes so right for the attacker)

Here’s how the adversary turned trusted systems against defenders:

  1. Leverage a signed driver with vulnerabilities
    The compromised file, amsdk.sys, is a 64-bit kernel driver legitimately signed, built on the Zemana Anti-Malware SDK. Because it is Microsoft-signed and not on Microsoft’s vulnerable-driver blocklist, the driver appeared trustworthy to many defenses. 

  2. Abuse process termination & local privilege escalation
    Attackers used the driver’s flaws to kill arbitrary processes (including security agents) without checking protections, and escalated privileges to gain kernel-level control. 

  3. Maintain stealth and adaptability
    Even after a vendor patch for privilege escalation, the termination flaw remained exploitable. Attackers bypassed simple hash-based blocklists by flipping a byte in the timestamp field—preserving the Microsoft signature while changing the file hash.

  4. Deploy ValleyRAT payload
    With defenses neutralized, the adversary installed ValleyRAT, a sophisticated backdoor that supports remote control, data exfiltration, screen capture, and more.

What’s especially disconcerting is that this attack sequence doesn’t rely solely on zero-day exploits or exotic techniques. By weaponizing signed, vulnerable components and chaining evasive tactics, the actor subverts defenses before detection even starts.

Why “Detect & Respond” fails in this scenario

Traditional security models center on detection → alert → response. But in cases like Silver Fox:

  • The malicious activity begins below the detection threshold—the driver is valid, signed, and not on blocklists.

  • By the time an alert triggers, it may already be too late: defenses have been disabled, the kernel may be compromised, and persistence is achieved.

  • The system becomes reactive, chasing intrusions rather than preventing them.

Thus, detect & respond becomes an uphill battle. Instead, successful defense in such advanced attacks demands isolation (preventing untrusted code from interacting with the rest of the system) and containment (limiting damage even if compromise begins).

AppGuard: A stronger paradigm built for isolation and containment

If you’re thinking, “We already have EDR, antivirus, XDR solutions”—that’s good, but it’s not enough. AppGuard was designed from day one to assume that attackers will find new paths, sometimes even leveraging signed components. Its approach:

  • Default deny & allowlisting: Only explicitly permitted code can interact with sensitive system resources.

  • Containerization of untrusted processes: Even if an exploit is attempted, it’s confined in a sandboxed environment.

  • Memory/behavior-level controls: AppGuard doesn’t rely solely on signatures; it governs what processes can do, not just what they are.

  • Minimal performance impact: Because it works at a granular level, it can block exploit behavior without crippling system performance.

  • Proven track record: Over 10 years in the field, protecting systems across government, enterprise, critical infrastructure and commercial environments.

Because AppGuard isolates and contains untrusted behavior before damage can spread, it turns the tables on attackers who try to live off the land—or piggyback on trusted drivers. Even if a signed driver is compromised, AppGuard prevents it from acting outside its assigned boundaries.

Moving beyond prevention — defending in depth

AppGuard doesn’t replace detection, EDR, or security operations workflows. Instead, it shifts the balance earlier in the kill chain:

  • Stop malicious action before it escalates, rather than simply reacting later

  • Complement existing tools, adding a proactive barrier

  • Reduce dwell time and blast radius, so if a foothold is achieved, damage remains contained

In short: moving from “Detect & Respond” to “Isolation & Containment” raises the bar dramatically for attackers.

What businesses must do now

  1. Audit your endpoint protection assumptions
    Ask: Do we trust signed drivers by default? Do we assume alerts will always catch malicious behavior? That’s a risk.

  2. Design layered defense with active containment
    Include a solution like AppGuard that rejects or constrains new or vulnerable components—even if they appear trusted.

  3. Deploy gradually, validate impact, scale confidently
    Start with high-risk systems or pilot groups. Monitor for compatibility, tune allowlists, and expand coverage.

  4. Train security operations to think in containment terms
    Incidents should be seen not just as alerts, but as “guarded zones” where threats never gain lateral reach.

  5. Measure success differently
    Traditional metrics (number of alerts, time to detection) should be supplemented with “how much damage was prevented.” A thwarted exploit—even if undetected—counts as a success.

Conclusion & Call to Action

The Silver Fox campaign underscores a modern reality: attackers are embracing techniques that evade detection entirely. As long as we rely on “detect & respond” as our core strategy, we remain vulnerable to subtle, signed threats.

AppGuard, backed by over a decade of successful deployment, offers a different promise—contain first, respond second. It empowers business owners to shift from being reactive to being resilient.

If you're responsible for securing your organization, now is the time to rethink your endpoint strategy. Talk with us at CHIPS. Let’s explore together how AppGuard can prevent the next Silver Fox-style incident from ever taking hold.

Reach out today to schedule a consultation and move your defenses from detection to containment.

Like this article? Please share it with others!

 
Tags:
AppGuard, 0-day, Ransomware
Tony Chiappetta
Post by Tony Chiappetta
October 2, 2025
Follow me on my website Follow me on LinkedIn

Comments
How You Can Achieve Zero Trust Protection on an Endpoint

How You Can Achieve Zero Trust Protection on an Endpoint

Some IT Professionals say Zero Trust is impossible to implement however, the US Federal Government has been using these principles for decades.  Download our White Paper to learn how to fully secure your computers.