EXECUTIVE SUMMARY
The SilverFox threat group is actively conducting a campaign using a multi-stage remote access trojan known as ValleyRAT. This operation primarily targets corporate networks and individuals handling cryptocurrency, aiming to establish persistent remote control while stealing sensitive data and financial assets. By deploying a complex malware chain, the attackers seek to maintain long-term access to victim environments and silently siphon funds through clipboard manipulation. The campaign remains ongoing, with the group continuously refining their methods to evade detection.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The SilverFox threat group is actively conducting a campaign using a multi-stage remote access trojan known as ValleyRAT. This operation primarily targets corporate networks and individuals handling cryptocurrency, aiming to establish persistent remote control while stealing sensitive data and financial assets. By deploying a complex malware chain, the attackers seek to maintain long-term access to victim environments and silently siphon funds through clipboard manipulation. The campaign remains ongoing, with the group continuously refining their methods to evade detection.[emaillocker id="1283"]
The infection chain begins when victims execute malicious installers that employ DLL sideloading to bypass initial security checks. Once active, the malware disables logging services and antivirus tools before retrieving subsequent payloads hidden inside the pixel data of PNG images. A Go-based remote access trojan then communicates with command servers via websockets, blending into normal traffic. The attack concludes by deploying a kernel-level rootkit that receives instructions through named pipes, granting the attackers deep system access and the ability to inject malicious code into core Windows processes.
This threat poses a significant risk because the malware uses an eight-stage loading process and kernel-level rootkit technology to hide its presence, making traditional detection methods ineffective. The attackers frequently recompile files to change signatures and hide payloads inside image files, allowing them to slip past static defenses. To defend against this, organisations must verify digital signatures on all software and monitor for unusual named pipe activity or unexpected processes spawning from critical system services. Regular patching and robust offline backups remain essential to limit the impact of such stealthy intrusions.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1036.007 | Masquerading | Double File Extension |
| Defense Evasion | T1027.003 | Obfuscated Files or Information | Steganography |
| Privilege Escalation | T1055 | Process Injection | — |
| Defense Evasion | T1014 | Rootkit | — |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Collection | T1115 | Clipboard Data | — |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/silverfox-hackers-use-go-rat-av-killer/
[/emaillocker]