The SilverFox advanced persistent threat (APT) group has significantly enhanced its ValleyRAT malware by transforming it from a traditional remote access trojan into a sophisticated eight-stage attack chain that ends with the deployment of a kernel-mode rootkit. The campaign begins with DLL sideloading using trojanized software installers that exploit legitimate signed executables to launch malicious payloads. It employs multiple defense evasion techniques, including ETW and AMSI bypasses, PNG steganography to conceal shellcode within image files, and in-memory execution using Donut shellcode. ValleyRAT acts as the central orchestrator, maintaining encrypted command-and-control communications over WebSocket and QUIC protocols while coordinating the execution of additional payloads. The attackers developed this multi-stage framework to achieve long-term persistence, evade detection, and gain deep control over compromised systems. The final-stage kernel-mode rootkit provides low-level access to the operating system, enabling process manipulation, memory interception, and malicious driver loading. Additional modules terminate antivirus services, hijack cryptocurrency wallet addresses, and steal Telegram credentials. SilverFox also uses anti-analysis techniques, including VMware detection, geofencing, polymorphic malware samples, and plugin delivery through named pipes, making the campaign difficult for both network and endpoint security solutions to detect. Organizations should strengthen defenses by monitoring for suspicious MSI installations that launch PowerShell through VBScript, unusual process names, unauthorized kernel driver loads, and abnormal named pipe activity. Security teams should inspect WebSocket and QUIC traffic for anomalies, enforce strict kernel driver signing policies, and maintain up-to-date endpoint detection and response solutions. Prompt patch management, user awareness training against fake software installers, and continuous threat hunting can help reduce the risk posed by this advanced SilverFox campaign.
Progress Software has issued an urgent security advisory instructing customers using ShareFile Storage Zone Controllers on Windows servers to immediately shut down their systems fo...
A China-linked cybercrime group known as Silver Fox has been linked to a newly discovered Rust-based remote access trojan (RAT) called MODBEACON, according to Chinese cybersecurity...
Zimbra has warned customers to immediately patch a critical security vulnerability affecting its Classic Web Client. The flaw is a stored cross-site scripting (XSS) vulnerability t...