logo

SilverFox Campaign Turns ValleyRAT Into Multi-Stage Malware With Rootkit Capabilities

ID: 875f3538-b3ab-5240-9bd1-452470db4b88

STIX ID: report--875f3538-b3ab-5240-9bd1-452470db4b88

Feed Name: GBHackers

Threat Score
90/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Mayura Kathir

...
...

SilverFox, a Chinese-affiliated APT, has upgraded the ValleyRAT toolset into an eight-stage infection chain that ends with a sophisticated kernel-mode rootkit. The campaign uses signed binary DLL sideloading, ETW/AMSI bypasses, PNG steganography to hide shellcode, reflective in-memory loaders (Donut), and C2 over WebSocket and QUIC; it includes AV-killer modules, named-pipe plugin delivery, polymorphic sample rotation, and data-stealing modules (crypto clipboard hijack, Telegram credential theft), with observed targeting across India, Russia and APAC.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.