A sophisticated new Mac malware campaign has emerged, targeting users through a deceptive PDF conversion website that conceals a dangerous two-stage payload.

The malware, dubbed “JSCoreRunner,” represents a significant evolution in macOS threats, demonstrating how cybercriminals are adapting their techniques to bypass Apple’s security measures while maintaining zero detection rates on major security platforms.

The threat operates through fileripple[.]com, a fraudulent website that masquerades as a legitimate PDF conversion service.

Users visiting the site are prompted to download what appears to be a helpful utility called “FileRipple.pkg,” which creates the illusion of a genuine PDF tool by launching a fake webview interface.

This sophisticated deception allows the malware to execute its malicious activities silently while users believe they are interacting with a legitimate application.

9to5Mac analysts identified this campaign as particularly concerning due to its zero-day status at the time of discovery.

The malware had achieved complete evasion across all security vendors on VirusTotal, highlighting the advanced nature of this threat and the challenges facing traditional detection methods.

The malware’s primary objective centers on browser hijacking, specifically targeting Google Chrome installations on infected systems.

JSCoreRunner systematically traverses the ~/Library/Application Support/Google/Chrome/ directory to locate both default and additional user profiles, then manipulates search engine configurations through TemplateURL object modifications.

Two-Stage Infection Mechanism

The JSCoreRunner campaign employs a carefully orchestrated two-stage deployment strategy designed to circumvent macOS security controls.

The initial stage involves a signed package that was deliberately crafted to appear legitimate, though Apple subsequently revoked the developer’s signature.

This revocation triggers macOS Gatekeeper to block the first-stage package, creating a false sense of security for users who might assume the threat has been neutralized.

However, the second stage, “Safari14.1.2MojaveAuto.pkg,” operates as an unsigned payload that downloads directly from the same compromised domain.

This unsigned nature allows it to bypass Gatekeeper’s default blocking mechanisms, as macOS typically focuses signature validation on initially downloaded packages rather than subsequently fetched components.

Upon successful installation, the malware establishes persistence by modifying Chrome’s search engine settings, redirecting users to fraudulent search engines while hiding crash logs and session restoration prompts to maintain stealth operations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Mac Malware Dubbed ‘JSCoreRunner’ Weaponizing PDF Conversion Site to Deliver Malware appeared first on Cyber Security News.

Emerging in mid-2025, a sophisticated campaign attributed to the Silver Fox APT has begun exploiting a previously unreported vulnerable driver to compromise modern Windows environments.

This campaign leverages the WatchDog Antimalware driver (amsdk.sys, version 1.0.600), a Microsoft-signed component built on the Zemana Anti-Malware SDK.

By abusing its arbitrary process termination capability, threat actors bypass endpoint detection and response (EDR) and antivirus (AV) protections on fully patched Windows 10 and 11 systems without triggering signature-based defenses.

Initial stages of the attack involve deploying a self-contained loader that embeds multiple drivers and anti-analysis layers.

Infected machines receive a loader binary that first performs checks against virtual machines, sandboxes, and known analysis environments.

Once these checks pass, the loader drops two drivers—one legacy Zemana-based driver for compatibility with older systems, and the newer WatchDog Antimalware driver for modern targets—into a newly created C:\Program Files\RunTime directory.

Check Point researchers noted that both drivers are then registered as kernel services: the legacy driver under ZAM.exe for Windows 7, and amsdk.sys for Windows 10/11.

The loader’s “Termaintor” service ensures persistence for the executed loader stub, while Amsdk_Service facilitates driver loading.

Following driver registration, the campaign’s custom EDR/AV killer logic opens a handle to the vulnerable driver’s device namespace (\\.\amsdk) and issues IOCTL calls to register the malicious process and terminate protected security service processes.

The termination routine reads from a Base64-encoded process list of over 190 entries—spanning popular antivirus and endpoint protection services—and sends IOCTL_TERMINATE_PROCESS commands via DeviceIoControl to eliminate running defenses.

By abusing the driver’s lack of a FILE_DEVICE_SECURE_OPEN flag and missing PP/PPL checks, Silver Fox achieves reliable AV evasion.

Check Point analysts identified that after terminating security processes, the loader decodes and injects a UPX-packed ValleyRAT downloader module into memory.

This module connects to Chinese-hosted C2 servers, decrypts configuration traffic using a simple XOR cipher, and fetches the final ValleyRAT backdoor payload.

ValleyRAT (“Winos”) offers full remote access capabilities including command execution and data exfiltration, confirming the campaign’s attribution to Silver Fox.

Detection Evasion through Signed-Driver Manipulation

Although WatchDog released a patched driver (wamsdk.sys, version 1.1.100) following disclosure, Silver Fox quickly adapted by flipping a single byte within the unauthenticated attributes of the driver’s signature timestamp.

This subtle modification preserved the Microsoft Authenticode signature while generating a new file hash, effectively bypassing hash-based blocklists without altering signature validity.

The altered driver is then seamlessly loaded on target systems, continuing the exploitation cycle.

This technique underscores a broader trend: adversaries weaponizing legitimate, signed drivers and manipulating timestamp countersigns to evade both static and behavior-based detection mechanisms.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV appeared first on Cyber Security News.