SilverFox Campaign Turns ValleyRAT Into Multi-Stage Malware With Rootkit Capabilities
ID: 875f3538-b3ab-5240-9bd1-452470db4b88
STIX ID: report--875f3538-b3ab-5240-9bd1-452470db4b88
Feed Name: GBHackers
SilverFox, a Chinese-affiliated APT, has upgraded the ValleyRAT toolset into an eight-stage infection chain that ends with a sophisticated kernel-mode rootkit. The campaign uses signed binary DLL sideloading, ETW/AMSI bypasses, PNG steganography to hide shellcode, reflective in-memory loaders (Donut), and C2 over WebSocket and QUIC; it includes AV-killer modules, named-pipe plugin delivery, polymorphic sample rotation, and data-stealing modules (crypto clipboard hijack, Telegram credential theft), with observed targeting across India, Russia and APAC.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
