UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, ,

Driver Deception: How the Silver Fox APT Evades Modern EDR with Root-Level Tricks

·

by

UtopianKnight

Introduction

Endpoint Detection and Response (EDR) and Antivirus (AV) solutions have become the backbone of modern cyber defence. They promise to spot anomalies, block malicious files, and prevent attackers from gaining a foothold inside corporate networks. Yet, as defenders evolve, so too do adversaries.

In mid-2025, researchers uncovered a sophisticated campaign by Silver Fox, an advanced persistent threat (APT) group, that exploits vulnerabilities in legitimate device drivers to bypass security controls on Windows 10 and Windows 11 systems. By abusing trusted, signed drivers, the group effectively neutralises even the most advanced EDR and AV protections, allowing them to operate with impunity at the kernel level.

This discovery is more than another cyber headline it exposes the fragility of trust in the software ecosystem and highlights the high-stakes cat-and-mouse game between attackers and defenders.

Who Are Silver Fox?

The Silver Fox APT is a relatively new but increasingly notorious threat actor. First linked to espionage campaigns in 2023, the group has been tied to:

  • Targeted attacks on financial institutions in Asia.
  • Espionage operations against government agencies in Europe.
  • Supply-chain reconnaissance, focusing on telecoms and defence contractors.

While attribution remains murky, security analysts suggest Silver Fox may operate from Eastern Europe with potential state sponsorship. Unlike financially motivated groups, their campaigns show a strategic focus on intelligence gathering and long-term persistence.

The Campaign: Exploiting Trusted Drivers

Step 1: Initial Compromise

Silver Fox typically gains access through spear-phishing emails, malicious documents, or exploiting known vulnerabilities in public-facing systems. Once inside, they move quickly to deploy their driver-based toolkit.

Step 2: Loading a Vulnerable Driver

The attackers identify and exploit legitimate but vulnerable third-party drivers, such as those from hardware vendors who have not patched security flaws. Because these drivers are digitally signed, Windows allows them to load without issue, granting attackers kernel-level privileges.

Examples of abused drivers in past campaigns include:

  • LoJack/Absolute drivers (abused by LoJax malware).
  • Anti-cheat drivers from gaming software.
  • Hardware monitoring tools with poor security practices.

Step 3: EDR and AV Evasion

Once the vulnerable driver is active, Silver Fox deploys custom shellcode that allows them to:

  • Disable EDR hooks that monitor user-mode and kernel-mode processes.
  • Terminate security services running in protected mode.
  • Hide processes, registry entries, and files from detection.

In effect, the driver becomes a rootkit, operating below the visibility of defensive tools.

Step 4: Persistence and Payload Deployment

With defences neutralised, Silver Fox installs secondary payloads such as:

  • Credential stealers for harvesting Active Directory and cached credentials.
  • Keyloggers and spyware to monitor sensitive systems.
  • Data exfiltration tools using encrypted C2 channels.

Why Drivers? The Weak Link in Windows Security

Drivers sit at the heart of the Windows operating system. They manage communication between hardware and software, operating in kernel mode with the highest possible privileges.

For attackers, compromising a driver provides:

  1. Privilege Escalation – Direct access to the kernel bypasses user-mode restrictions.
  2. Stealth – Rootkits can hide processes, services, and network traffic from defenders.
  3. Persistence – Drivers can be reloaded on reboot, maintaining long-term access.
  4. Trust Abuse – Digitally signed drivers exploit the implicit trust Windows places in verified software.

This makes vulnerable drivers an attractive and highly effective attack vector.

Technical Analysis of the Silver Fox Toolkit

Researchers analysing Silver Fox samples identified several hallmarks:

  • Signed Driver Abuse: Attackers loaded a vulnerable driver from a legitimate vendor, then injected shellcode to weaponise it.
  • Kernel Hooking: Malicious routines intercepted system calls, disabling EDR telemetry.
  • Process Hollowing: Legitimate processes were hollowed out and repurposed to run malicious code.
  • Command-and-Control (C2): Communication occurred over HTTPS with domain fronting, blending into normal traffic.
  • Self-Deletion: Malware components deleted themselves after execution, leaving minimal forensic evidence.

Perhaps most concerning was the use of polymorphic code, making each infection slightly different and harder to detect with signature-based tools.

Real-World Implications

The implications of Silver Fox’s campaign extend beyond technical novelty:

  • Critical Infrastructure at Risk: Utilities, healthcare providers, and government systems relying on Windows endpoints are vulnerable.
  • Erosion of Trust in Code Signing: If signed drivers can be weaponised, trust in the Windows security model is undermined.
  • Defensive Blind Spots: Even organisations with world-class EDR solutions may be blind to such activity.
  • Espionage and IP Theft: Industries targeted by Silver Fox risk long-term strategic data loss.

Defensive Measures

1. Monitor and Control Drivers

  • Driver Blocklists: Microsoft publishes a driver blocklist for known vulnerable drivers ensure it is enforced.
  • Allow-listing Tools: Use solutions like Windows Defender Application Control (WDAC) to restrict driver loading.

2. Harden EDR Deployments

  • Ensure EDR solutions are updated with kernel-mode monitoring capabilities.
  • Deploy multiple overlapping detection tools to reduce single points of failure.

3. System Integrity Features

  • Secure Boot and HVCI (Hypervisor-protected Code Integrity): Enforce integrity checks on drivers.
  • Kernel DMA Protection: Reduce the attack surface for kernel-level exploits.

4. Threat Hunting

  • Hunt for anomalous driver loads or unsigned driver activity.
  • Monitor for unexpected service stoppages or telemetry gaps.

5. Patch Management

  • Work with hardware and software vendors to ensure drivers are updated promptly.
  • Pressure vendors to retire vulnerable drivers and enforce stronger signing requirements.

Policy and Industry Considerations

The Silver Fox campaign underscores systemic challenges:

  • Vulnerability Disclosure: Hardware vendors must respond more rapidly to driver vulnerabilities.
  • Code-Signing Reform: The trust model for signed drivers may need overhaul, including multi-factor validation.
  • International Cooperation: Given the state-linked nature of such groups, governments must work together on attribution and deterrence.

The Future of Driver Exploitation

Looking forward, driver-based attacks are likely to increase. We can expect:

  • AI-assisted Driver Exploits: Automated discovery of vulnerable drivers using machine learning.
  • Firmware Exploitation: Attackers moving below the driver level into BIOS/UEFI firmware.
  • Cross-Platform Expansion: Similar tactics targeting Linux and macOS kernel extensions.
  • Commercialisation: As with ransomware, we may see “driver exploitation kits” offered on the dark web.

Defenders must assume attackers will continue to exploit the implicit trust placed in core system components.

Conclusion

The Silver Fox APT campaign highlights one of the most insidious attack vectors in today’s cyber landscape: the exploitation of vulnerable but trusted drivers. By operating at the kernel level, these attackers bypass even the most advanced defences, undermining confidence in EDR and AV solutions.

For organisations, the lesson is clear:

  • Trust nothing implicitly not even signed drivers.
  • Layer defences to account for worst-case scenarios.
  • Pressure vendors and governments to strengthen the integrity of the software supply chain.

As the arms race between attackers and defenders continues, the Silver Fox operation demonstrates that control over the lowest levels of the system remains the ultimate prize in cybersecurity.

References