Threat Advisory

Silver Fox Delivers ValleyRAT With Kernel Rootkit Components

Threat: Malware Campaign
Threat Actor Name: SilverFox
Threat Actor Type: APT
Targeted Region: Global
Threat Actor Region: China
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

The SilverFox threat group is actively conducting a campaign using a multi-stage remote access trojan known as ValleyRAT. This operation primarily targets corporate networks and individuals handling cryptocurrency, aiming to establish persistent remote control while stealing sensitive data and financial assets. By deploying a complex malware chain, the attackers seek to maintain long-term access to victim environments and silently siphon funds through clipboard manipulation. The campaign remains ongoing, with the group continuously refining their methods to evade detection.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

The SilverFox threat group is actively conducting a campaign using a multi-stage remote access trojan known as ValleyRAT. This operation primarily targets corporate networks and individuals handling cryptocurrency, aiming to establish persistent remote control while stealing sensitive data and financial assets. By deploying a complex malware chain, the attackers seek to maintain long-term access to victim environments and silently siphon funds through clipboard manipulation. The campaign remains ongoing, with the group continuously refining their methods to evade detection.[emaillocker id="1283"]

The infection chain begins when victims execute malicious installers that employ DLL sideloading to bypass initial security checks. Once active, the malware disables logging services and antivirus tools before retrieving subsequent payloads hidden inside the pixel data of PNG images. A Go-based remote access trojan then communicates with command servers via websockets, blending into normal traffic. The attack concludes by deploying a kernel-level rootkit that receives instructions through named pipes, granting the attackers deep system access and the ability to inject malicious code into core Windows processes.

This threat poses a significant risk because the malware uses an eight-stage loading process and kernel-level rootkit technology to hide its presence, making traditional detection methods ineffective. The attackers frequently recompile files to change signatures and hide payloads inside image files, allowing them to slip past static defenses. To defend against this, organisations must verify digital signatures on all software and monitor for unusual named pipe activity or unexpected processes spawning from critical system services. Regular patching and robust offline backups remain essential to limit the impact of such stealthy intrusions.

THREAT PROFILE:

Tactic Technique ID Technique Sub-technique
Initial Access T1195.002 Supply Chain Compromise Compromise Software Supply Chain
Defense Evasion T1574.002 Hijack Execution Flow DLL Side-Loading
Defense Evasion T1562.001 Impair Defenses Disable or Modify Tools
Defense Evasion T1036.007 Masquerading Double File Extension
Defense Evasion T1027.003 Obfuscated Files or Information Steganography
Privilege Escalation T1055 Process Injection
Defense Evasion T1014 Rootkit
Credential Access T1552.001 Unsecured Credentials Credentials In Files
Collection T1115 Clipboard Data
Command and Control T1071.004 Application Layer Protocol DNS

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/silverfox-hackers-use-go-rat-av-killer/

[/emaillocker]
crossmenu