Thor vs. Silver Fox – Uncovering and Defeating a Sophisticated ValleyRat Campaign

**Executive Summary:** This report analyzes a sophisticated, active multi-stage malware campaign attributed to the China-aligned APT 'Silver Fox' that distributes trojanized installers (e.g., Telegram) to stage payloads, disable Microsoft Defender, deploy user-writable kernel drivers (BYOVD), perform UAC bypass and DLL sideloading, and ultimately install a persistent ValleyRat beacon; the report includes detailed TTPs, file and network IOCs, and concrete detection and hunting guidance (Sigma/Sysmon examples).