SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in Live ValleyRAT Campaign


SilverFox hackers are using a live ValleyRAT campaign that combines an eight-stage infection chain, a Go-based remote access trojan, antivirus-killing tools, and a kernel-level rootkit. The campaign shows how far ValleyRAT has moved beyond a basic remote access tool.

According to Cyber Security News, researchers at Gen Threat Labs observed fresh samples, changing file paths, and active delivery through trojanized installers. The malware chain starts with DLL sideloading and ends with a rootkit that can receive commands from the RAT through named pipes.

Earlier research from Check Point Research described ValleyRAT, also known as Winos or Winos4.0, as a modular backdoor with plugins that can extend its capabilities after infection. The latest campaign builds on that modular design and adds deeper persistence.

What makes this ValleyRAT campaign different

The main difference is the number of stages and the level of control the attackers seek. Many remote access trojans focus on stealing data or opening a backdoor. This ValleyRAT chain layers loaders, steganography, privilege escalation, user-mode malware, an AV killer, and a kernel component.

The latest reporting says the campaign uses PNG steganography to hide payloads inside image data. That method helps the malware move from one stage to another while making static detection more difficult.

Security teams should treat this as more than a RAT infection. A compromised host can become a platform for surveillance, credential theft, plugin delivery, security tool disruption, and deeper system manipulation.

Campaign elementWhat it doesWhy it matters
DLL sideloadingRuns malicious code through a legitimate signed applicationHelps the malware blend into trusted software activity
PNG steganographyHides payloads inside image dataReduces the chance of simple file-based detection
Donut loaderLoads shellcode in memoryLimits obvious payload traces on disk
Go RATMaintains command and control communicationGives attackers remote access and control
Kernel rootkitRuns at a deeper system levelMakes removal and detection harder

SilverFox is still tied to ValleyRAT activity

SilverFox has been linked to ValleyRAT activity for some time. Morphisec Threat Labs previously described ValleyRAT as a sophisticated, multi-stage malware frequently attributed to the SilverFox APT.

ReliaQuest has also connected SilverFox activity to ValleyRAT delivery through fake software campaigns. In a separate ReliaQuest report, the company said SilverFox used fake Microsoft Teams-themed infrastructure to target Chinese-speaking users and deploy ValleyRAT.

That history matters because the current campaign fits a broader pattern. SilverFox operators and related clusters have repeatedly used trusted-looking installers, fake software pages, and layered execution chains to reach victims.

How the new infection chain works

The infection begins when a victim runs a trojanized installer. The installer abuses a legitimate signed executable and loads a malicious DLL beside it. This DLL sideloading technique lets malicious code run under the cover of trusted software.

Once active, the malware begins suppressing security visibility. It targets logging and antivirus scanning, then uses image-based payload hiding to move into the next stage.

The chain then escalates privileges and extracts another payload from a second PNG image. After that, it uses Donut to unpack shellcode in memory, preparing the ValleyRAT orchestrator and the Go-based RAT.

  1. Victim launches a trojanized installer.
  2. A legitimate signed executable sideloads a malicious DLL.
  3. The malware weakens logging and antivirus visibility.
  4. Payloads are hidden and extracted from PNG files.
  5. Privilege escalation prepares deeper access.
  6. Donut loads shellcode in memory.
  7. The ValleyRAT orchestrator launches the Go RAT.
  8. A kernel rootkit is installed for deeper control.

The Go RAT uses WebSocket and QUIC traffic

The Go-based RAT communicates with command-and-control servers using WebSocket and QUIC. Those protocols can blend with normal web traffic, which makes network detection more difficult when defenders rely only on basic allowlists or port monitoring.

The RAT also controls later components. It can inject an AV-killing tool into svchost.exe, a Windows process that often runs many legitimate services. That placement can make malicious activity look less obvious during routine process review.

The campaign also includes named pipe communication. Named pipes normally help Windows processes communicate with each other, but malware can abuse them to pass commands between user-mode components and deeper system components.

The kernel rootkit raises the cleanup challenge

The kernel rootkit is the most concerning part of the chain. Kernel-level components operate with higher privileges than normal user-mode malware, which can make them harder for standard endpoint tools to inspect or remove.

Check Point Research previously found that ValleyRATโ€™s driver plugin contained an embedded kernel-mode rootkit, with capabilities including stealthy driver installation, user-mode shellcode injection, and forceful deletion of AV or EDR drivers.

The current campaign reportedly uses a rootkit that supports more than 65 command codes and receives instructions through named pipes. That gives attackers a flexible way to maintain control after the initial RAT stage succeeds.

Rootkit capability areaSecurity impact
Kernel-level executionCan operate below normal user-mode tools
Command codesProvides flexible control for attacker actions
Named pipe controlLets the RAT communicate with deeper components
Security tool interferenceCan support AV and EDR disruption

Data theft and persistence remain key goals

ValleyRAT is not only built for access. The campaign includes theft-focused behavior, including clipboard monitoring for cryptocurrency wallet addresses. If a victim copies a wallet address, the malware can replace it with one controlled by the attackers.

The malware also targets Telegram data stored on infected machines. This can expose private conversations, session data, and information that helps attackers understand the victim or continue the attack.

Additional plugins can be delivered after the first infection. That plugin model allows the attackers to adjust their toolkit based on the value of the victim, rather than exposing every capability at the start.

Polymorphic samples make detection harder

The campaign also uses frequent sample changes. Researchers observed multiple polymorphic builds over a short period, with file paths changing under a C:\Drivers directory. That approach can reduce the value of simple hash-based blocking.

The Malpedia ValleyRAT entry tracks several public reports tied to ValleyRAT, including fake Microsoft Teams delivery, BYOVD activity, and rootkit-related research. This shows that ValleyRAT has become a recurring malware family across several campaigns, not a one-off tool.

For defenders, behavior matters more than a single indicator. Suspicious signed installers, DLL sideloading, unusual svchost child activity, new named pipes, unexpected PNG payload access, and antivirus tampering should all carry weight.

Indicators of compromise

The currently reported indicators include a trojanized installer hash and two command-and-control domains. These indicators can help with immediate hunting, but they should not replace behavior-based detection.

TypeIndicatorDescription
SHA-256 hash520304a1cabdd9aa05c0a769c3874bc3cc2608d8e71ae607ca2bdf96b298b5deTrojanized installer used to begin the infection chain
C2 domain3w[.]jxuw3[.]comReported WebSocket command-and-control endpoint
C2 domaindf[.]sjickdeh[.]orgReported WebSocket command-and-control endpoint
Path patternC:\DriversDirectory used in rotating file paths during the campaign
Process targetsvchost.exeProcess used for AV-killer injection in the reported chain

How organizations should detect this campaign

Security teams should start by reviewing installer activity. The campaign relies on trojanized installers and legitimate signed executables, so defenders should compare downloaded installers against known-good hashes and approved software sources.

ReliaQuest recommends stronger logging for SilverFox and ValleyRAT-style activity, including Windows command-line event logging and PowerShell Script Block Logging. The same ReliaQuest analysis also highlights the risk of fake software distribution and SEO poisoning in SilverFox operations.

Network teams should inspect WebSocket and QUIC traffic patterns where possible, especially from endpoints that recently ran unapproved installers. Endpoint teams should watch for child processes under svchost.exe, named pipe activity that does not match known applications, and sudden antivirus policy changes.

  • Monitor DLL sideloading from user-writable directories.
  • Alert on unsigned or unexpected DLLs loaded by signed executables.
  • Review PowerShell commands that change Defender settings.
  • Watch for abnormal svchost.exe injection or child process behavior.
  • Detect suspicious named pipe creation and pipe traffic.
  • Block known C2 domains and investigate related DNS lookups.
  • Compare installers against approved vendor sources before execution.

Why this matters for global companies

SilverFox activity has often focused on Chinese-speaking users and organizations with regional exposure. However, global companies can still face risk if employees download localized software, use unofficial installers, or work in environments where fake software campaigns target local search behavior.

Morphisec Threat Labs noted that SilverFox uses multiple distribution channels, including phishing emails, malicious websites, and instant messaging platforms. That variety makes user training useful, but not enough by itself.

The broader ValleyRAT malware family has appeared in many public reports across 2025 and 2026. That continued activity suggests defenders should treat ValleyRAT as an active malware ecosystem with changing delivery methods and plugins.

Bottom line

The latest SilverFox ValleyRAT campaign shows a clear escalation in RAT operations. The malware uses an eight-stage chain, hides payloads inside PNG images, deploys a Go-based RAT, injects an AV killer, and installs a kernel rootkit for deeper control.

The most effective defense is layered visibility. Organizations should verify installers, monitor DLL sideloading, inspect suspicious WebSocket and QUIC traffic, harden endpoint controls, and hunt for named pipe activity tied to malware components.

Cyber Security News reported that the campaign was live at publication, with fresh samples still appearing. That makes rapid hunting and control validation important for teams that may face SilverFox or ValleyRAT-related activity.

FAQ

What is ValleyRAT?

ValleyRAT is a remote access trojan also tracked as Winos or Winos4.0. It can give attackers remote control over infected systems, support plugin delivery, steal data, and maintain access inside compromised environments.

Who are the SilverFox hackers?

SilverFox is a threat group linked to multiple ValleyRAT campaigns, often involving fake software installers, SEO poisoning, phishing, and malware delivery targeting Chinese-speaking users and organizations with regional exposure.

Why is the new ValleyRAT campaign dangerous?

The campaign is dangerous because it uses an eight-stage infection chain, payload hiding inside PNG images, a Go-based RAT, antivirus-killing behavior, and a kernel rootkit that can receive commands from the RAT through named pipes.

What indicators are linked to this ValleyRAT campaign?

Reported indicators include the SHA-256 hash 520304a1cabdd9aa05c0a769c3874bc3cc2608d8e71ae607ca2bdf96b298b5de and the command-and-control domains 3w[.]jxuw3[.]com and df[.]sjickdeh[.]org.

How can organizations detect SilverFox ValleyRAT activity?

Organizations can detect SilverFox ValleyRAT activity by monitoring DLL sideloading, suspicious signed installers, abnormal svchost.exe behavior, named pipe activity, WebSocket or QUIC command-and-control traffic, Defender tampering, and unexpected access to Telegram or clipboard data.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages