SilverFox ValleyRAT Campaign Uses Eight-Stage Chain to Deploy Kernel Rootkit
ID: 545cb92b-6dd7-5a67-b6c4-9f8206858d45
STIX ID: report--545cb92b-6dd7-5a67-b6c4-9f8206858d45
Feed Name: Cyber Press
### Executive summary Security researchers report an active SilverFox campaign deploying a highly sophisticated ValleyRAT variant via trojanized signed installers and an eight-stage kill chain that includes DLL sideloading, steganographic payload delivery, privilege escalation, fileless Donut shellcode execution, and installation of a kernel-level rootkit. The malware provides persistent, evasive capabilities (disabling telemetry/AMSI, rapid polymorphism, daily file-path rotation), supports plugin delivery over named pipes, and targets cryptocurrency clipboard data and Telegram credentials, making detection, hunting, and remediation especially difficult.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
