SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in Live ValleyRAT Campaign
SilverFox hackers are using a live ValleyRAT campaign that combines an eight-stage infection chain, a Go-based remote access trojan, antivirus-killing tools, and a kernel-level rootkit. The campaign shows how far ValleyRAT has moved beyond a basic remote access tool.
According to Cyber Security News, researchers at Gen Threat Labs observed fresh samples, changing file paths, and active delivery through trojanized installers. The malware chain starts with DLL sideloading and ends with a rootkit that can receive commands from the RAT through named pipes.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Earlier research from Check Point Research described ValleyRAT, also known as Winos or Winos4.0, as a modular backdoor with plugins that can extend its capabilities after infection. The latest campaign builds on that modular design and adds deeper persistence.
What makes this ValleyRAT campaign different
The main difference is the number of stages and the level of control the attackers seek. Many remote access trojans focus on stealing data or opening a backdoor. This ValleyRAT chain layers loaders, steganography, privilege escalation, user-mode malware, an AV killer, and a kernel component.
The latest reporting says the campaign uses PNG steganography to hide payloads inside image data. That method helps the malware move from one stage to another while making static detection more difficult.
Security teams should treat this as more than a RAT infection. A compromised host can become a platform for surveillance, credential theft, plugin delivery, security tool disruption, and deeper system manipulation.
| Campaign element | What it does | Why it matters |
|---|---|---|
| DLL sideloading | Runs malicious code through a legitimate signed application | Helps the malware blend into trusted software activity |
| PNG steganography | Hides payloads inside image data | Reduces the chance of simple file-based detection |
| Donut loader | Loads shellcode in memory | Limits obvious payload traces on disk |
| Go RAT | Maintains command and control communication | Gives attackers remote access and control |
| Kernel rootkit | Runs at a deeper system level | Makes removal and detection harder |
SilverFox is still tied to ValleyRAT activity
SilverFox has been linked to ValleyRAT activity for some time. Morphisec Threat Labs previously described ValleyRAT as a sophisticated, multi-stage malware frequently attributed to the SilverFox APT.
ReliaQuest has also connected SilverFox activity to ValleyRAT delivery through fake software campaigns. In a separate ReliaQuest report, the company said SilverFox used fake Microsoft Teams-themed infrastructure to target Chinese-speaking users and deploy ValleyRAT.
That history matters because the current campaign fits a broader pattern. SilverFox operators and related clusters have repeatedly used trusted-looking installers, fake software pages, and layered execution chains to reach victims.
How the new infection chain works
The infection begins when a victim runs a trojanized installer. The installer abuses a legitimate signed executable and loads a malicious DLL beside it. This DLL sideloading technique lets malicious code run under the cover of trusted software.
Once active, the malware begins suppressing security visibility. It targets logging and antivirus scanning, then uses image-based payload hiding to move into the next stage.
The chain then escalates privileges and extracts another payload from a second PNG image. After that, it uses Donut to unpack shellcode in memory, preparing the ValleyRAT orchestrator and the Go-based RAT.
- Victim launches a trojanized installer.
- A legitimate signed executable sideloads a malicious DLL.
- The malware weakens logging and antivirus visibility.
- Payloads are hidden and extracted from PNG files.
- Privilege escalation prepares deeper access.
- Donut loads shellcode in memory.
- The ValleyRAT orchestrator launches the Go RAT.
- A kernel rootkit is installed for deeper control.
The Go RAT uses WebSocket and QUIC traffic
The Go-based RAT communicates with command-and-control servers using WebSocket and QUIC. Those protocols can blend with normal web traffic, which makes network detection more difficult when defenders rely only on basic allowlists or port monitoring.
The RAT also controls later components. It can inject an AV-killing tool into svchost.exe, a Windows process that often runs many legitimate services. That placement can make malicious activity look less obvious during routine process review.
The campaign also includes named pipe communication. Named pipes normally help Windows processes communicate with each other, but malware can abuse them to pass commands between user-mode components and deeper system components.
The kernel rootkit raises the cleanup challenge
The kernel rootkit is the most concerning part of the chain. Kernel-level components operate with higher privileges than normal user-mode malware, which can make them harder for standard endpoint tools to inspect or remove.
Check Point Research previously found that ValleyRATโs driver plugin contained an embedded kernel-mode rootkit, with capabilities including stealthy driver installation, user-mode shellcode injection, and forceful deletion of AV or EDR drivers.
The current campaign reportedly uses a rootkit that supports more than 65 command codes and receives instructions through named pipes. That gives attackers a flexible way to maintain control after the initial RAT stage succeeds.
| Rootkit capability area | Security impact |
|---|---|
| Kernel-level execution | Can operate below normal user-mode tools |
| Command codes | Provides flexible control for attacker actions |
| Named pipe control | Lets the RAT communicate with deeper components |
| Security tool interference | Can support AV and EDR disruption |
Data theft and persistence remain key goals
ValleyRAT is not only built for access. The campaign includes theft-focused behavior, including clipboard monitoring for cryptocurrency wallet addresses. If a victim copies a wallet address, the malware can replace it with one controlled by the attackers.
The malware also targets Telegram data stored on infected machines. This can expose private conversations, session data, and information that helps attackers understand the victim or continue the attack.
Additional plugins can be delivered after the first infection. That plugin model allows the attackers to adjust their toolkit based on the value of the victim, rather than exposing every capability at the start.
Polymorphic samples make detection harder
The campaign also uses frequent sample changes. Researchers observed multiple polymorphic builds over a short period, with file paths changing under a C:\Drivers directory. That approach can reduce the value of simple hash-based blocking.
The Malpedia ValleyRAT entry tracks several public reports tied to ValleyRAT, including fake Microsoft Teams delivery, BYOVD activity, and rootkit-related research. This shows that ValleyRAT has become a recurring malware family across several campaigns, not a one-off tool.
For defenders, behavior matters more than a single indicator. Suspicious signed installers, DLL sideloading, unusual svchost child activity, new named pipes, unexpected PNG payload access, and antivirus tampering should all carry weight.
Indicators of compromise
The currently reported indicators include a trojanized installer hash and two command-and-control domains. These indicators can help with immediate hunting, but they should not replace behavior-based detection.
| Type | Indicator | Description |
|---|---|---|
| SHA-256 hash | 520304a1cabdd9aa05c0a769c3874bc3cc2608d8e71ae607ca2bdf96b298b5de | Trojanized installer used to begin the infection chain |
| C2 domain | 3w[.]jxuw3[.]com | Reported WebSocket command-and-control endpoint |
| C2 domain | df[.]sjickdeh[.]org | Reported WebSocket command-and-control endpoint |
| Path pattern | C:\Drivers | Directory used in rotating file paths during the campaign |
| Process target | svchost.exe | Process used for AV-killer injection in the reported chain |
How organizations should detect this campaign
Security teams should start by reviewing installer activity. The campaign relies on trojanized installers and legitimate signed executables, so defenders should compare downloaded installers against known-good hashes and approved software sources.
ReliaQuest recommends stronger logging for SilverFox and ValleyRAT-style activity, including Windows command-line event logging and PowerShell Script Block Logging. The same ReliaQuest analysis also highlights the risk of fake software distribution and SEO poisoning in SilverFox operations.
Network teams should inspect WebSocket and QUIC traffic patterns where possible, especially from endpoints that recently ran unapproved installers. Endpoint teams should watch for child processes under svchost.exe, named pipe activity that does not match known applications, and sudden antivirus policy changes.
- Monitor DLL sideloading from user-writable directories.
- Alert on unsigned or unexpected DLLs loaded by signed executables.
- Review PowerShell commands that change Defender settings.
- Watch for abnormal svchost.exe injection or child process behavior.
- Detect suspicious named pipe creation and pipe traffic.
- Block known C2 domains and investigate related DNS lookups.
- Compare installers against approved vendor sources before execution.
Why this matters for global companies
SilverFox activity has often focused on Chinese-speaking users and organizations with regional exposure. However, global companies can still face risk if employees download localized software, use unofficial installers, or work in environments where fake software campaigns target local search behavior.
Morphisec Threat Labs noted that SilverFox uses multiple distribution channels, including phishing emails, malicious websites, and instant messaging platforms. That variety makes user training useful, but not enough by itself.
The broader ValleyRAT malware family has appeared in many public reports across 2025 and 2026. That continued activity suggests defenders should treat ValleyRAT as an active malware ecosystem with changing delivery methods and plugins.
Bottom line
The latest SilverFox ValleyRAT campaign shows a clear escalation in RAT operations. The malware uses an eight-stage chain, hides payloads inside PNG images, deploys a Go-based RAT, injects an AV killer, and installs a kernel rootkit for deeper control.
The most effective defense is layered visibility. Organizations should verify installers, monitor DLL sideloading, inspect suspicious WebSocket and QUIC traffic, harden endpoint controls, and hunt for named pipe activity tied to malware components.
Cyber Security News reported that the campaign was live at publication, with fresh samples still appearing. That makes rapid hunting and control validation important for teams that may face SilverFox or ValleyRAT-related activity.
FAQ
ValleyRAT is a remote access trojan also tracked as Winos or Winos4.0. It can give attackers remote control over infected systems, support plugin delivery, steal data, and maintain access inside compromised environments.
SilverFox is a threat group linked to multiple ValleyRAT campaigns, often involving fake software installers, SEO poisoning, phishing, and malware delivery targeting Chinese-speaking users and organizations with regional exposure.
The campaign is dangerous because it uses an eight-stage infection chain, payload hiding inside PNG images, a Go-based RAT, antivirus-killing behavior, and a kernel rootkit that can receive commands from the RAT through named pipes.
Reported indicators include the SHA-256 hash 520304a1cabdd9aa05c0a769c3874bc3cc2608d8e71ae607ca2bdf96b298b5de and the command-and-control domains 3w[.]jxuw3[.]com and df[.]sjickdeh[.]org.
Organizations can detect SilverFox ValleyRAT activity by monitoring DLL sideloading, suspicious signed installers, abnormal svchost.exe behavior, named pipe activity, WebSocket or QUIC command-and-control traffic, Defender tampering, and unexpected access to Telegram or clipboard data.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages