SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
Key Takeaways The SilverFox hacking group is deploying a new, sophisticated remote access trojan (RAT) called ValleyRAT. ValleyRAT employs an unprecedented eight-stage infection chain, significantly...
Key Takeaways
- The SilverFox hacking group is deploying a new, sophisticated remote access trojan (RAT) called ValleyRAT.
- ValleyRAT employs an unprecedented eight-stage infection chain, significantly increasing its stealth and resilience.
- The malware utilizes a kernel-level rootkit, an antivirus killer, and steganography to evade detection and maintain deep system control.
- The campaign is currently active, with threat actors continuously refining their methods and targeting corporate networks for data theft, including cryptocurrency and Telegram data.
SilverFox Unleashes Advanced Multi-Stage ValleyRAT Campaign
A highly sophisticated remote access trojan (RAT), dubbed ValleyRAT, is currently being deployed by the SilverFox hacking group, exhibiting tactics and techniques previously unseen from this threat actor. This new malware strain is distinguished by its elaborate, multi-stage attack methodology, designed to achieve deep system compromise and persistent stealth.
Table Of Content
Unlike conventional RATs that typically involve two or three stages for system control, ValleyRAT operates through an intricate eight-stage infection process. Each stage serves to conceal the subsequent one, culminating in the deployment of a kernel-level rootkit that receives direct commands from the RAT itself. This layered approach renders ValleyRAT exceptionally challenging for security solutions to detect, analyze, and ultimately remove, explaining its prolonged operational activity without early detection.
Analysts at Gen Threat Labs first uncovered the campaign while investigating anomalous installer files that demonstrated polymorphic behavior, adapting for each victim. Gen Threat Labs said in a report shared with Cyber Security News (CSN) that their findings provide crucial insights into the advanced capabilities SilverFox has integrated into its malicious toolkit. The campaign remains active, with new samples emerging regularly, daily rotation of file paths on compromised systems, and ongoing refinements to the group’s delivery mechanisms.
The Eight-Stage Infection Chain of ValleyRAT
The ValleyRAT infection initiates via DLL sideloading, a technique where a malicious dynamic-link library is introduced alongside a legitimate, digitally signed application. Once executed, the malware immediately targets logging utilities and antivirus software, disabling them to prevent detection and forensic analysis. It then employs steganography, embedding its next payload within the pixel data of seemingly innocuous PNG images. This image-based concealment strategy is repeated at several points throughout the infection chain.
Upon escalating privileges, the malware extracts another payload from a second image. This payload is then unpacked using the Donut loader, a tool favored by attackers for executing shellcode in memory without leaving persistent traces on disk. Following this, the core ValleyRAT orchestrator takes control, launching a RAT developed in the Go programming language. This Go-based RAT establishes communication with its command and control (C2) servers using WebSocket and QUIC protocols, chosen for their ability to blend seamlessly with normal web traffic, further complicating detection efforts.
Subsequently, the RAT injects a specialized anti-antivirus tool into svchost.exe, a critical Windows process, to disable security software without raising suspicion. The final stage involves the installation of a kernel-level rootkit. This rootkit supports over 65 distinct command codes and receives instructions from the RAT via named pipes, an inter-process communication mechanism typically used by legitimate applications.
Data Theft, Persistence, and Evolving Targeting Strategies
Beyond establishing deep system access, ValleyRAT is engineered for data exfiltration. It actively monitors the clipboard for cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to redirect funds from unsuspecting users – a tactic that has proven effective in previous campaigns. The malware also targets Telegram data stored on infected systems, potentially exposing private conversations and account credentials.
SilverFox maintains flexibility post-infection, capable of pushing additional plugins to victims through named pipes. This modularity allows the threat actors to customize their attack capabilities based on the perceived value of a compromised target. Persistence is a key focus for SilverFox; researchers observed thirteen distinct polymorphic samples of the malware recompiled over a twelve-day period, each subtly altered to bypass signature-based detection. Furthermore, file paths within the C:Drivers folder, where the malware resides, are rotated daily, rendering static detection rules less effective.
The delivery mechanism primarily relies on trojanized installers that exploit legitimate, signed executable files. This approach allows the malware to bypass initial defenses that inherently trust signed software. This campaign highlights a significant evolution in RAT development, moving beyond simple remote control to encompass multi-stage loaders, steganography for payload concealment, and kernel-level rootkits that directly interface with user-space malware.
What You Should Do
- Implement Application Whitelisting: Restrict the execution of unauthorized applications to prevent malicious installers from running.
- Monitor for Unusual Activity: Pay close attention to unexpected child processes originating from
svchost.exeand any anomalous named pipe activity. - Verify Digital Signatures: Scrutinize installers and executable files, ensuring their digital signatures are legitimate and haven’t been tampered with.
- Enhance Endpoint Detection & Response (EDR): Utilize advanced EDR solutions capable of detecting sophisticated multi-stage attacks and behavioral anomalies, rather than relying solely on signature-based detection.
- Educate Users: Train employees to recognize and report suspicious emails or downloads, particularly those involving software installers from untrusted sources.
- Regularly Update Security Software: Ensure all antivirus and anti-malware solutions are updated to their latest versions to benefit from the newest threat intelligence.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.