Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
July 6, 2026
Home/Threats/SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
Threats

SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign

Key Takeaways The SilverFox hacking group is deploying a new, sophisticated remote access trojan (RAT) called ValleyRAT. ValleyRAT employs an unprecedented eight-stage infection chain, significantly...

Emy Elsamnoudy
Emy Elsamnoudy
July 6, 2026 4 Min Read
3 0

Key Takeaways

  • The SilverFox hacking group is deploying a new, sophisticated remote access trojan (RAT) called ValleyRAT.
  • ValleyRAT employs an unprecedented eight-stage infection chain, significantly increasing its stealth and resilience.
  • The malware utilizes a kernel-level rootkit, an antivirus killer, and steganography to evade detection and maintain deep system control.
  • The campaign is currently active, with threat actors continuously refining their methods and targeting corporate networks for data theft, including cryptocurrency and Telegram data.

SilverFox Unleashes Advanced Multi-Stage ValleyRAT Campaign

A highly sophisticated remote access trojan (RAT), dubbed ValleyRAT, is currently being deployed by the SilverFox hacking group, exhibiting tactics and techniques previously unseen from this threat actor. This new malware strain is distinguished by its elaborate, multi-stage attack methodology, designed to achieve deep system compromise and persistent stealth.

Table Of Content

  • Key Takeaways
  • SilverFox Unleashes Advanced Multi-Stage ValleyRAT Campaign
  • The Eight-Stage Infection Chain of ValleyRAT
  • Data Theft, Persistence, and Evolving Targeting Strategies
  • What You Should Do

Unlike conventional RATs that typically involve two or three stages for system control, ValleyRAT operates through an intricate eight-stage infection process. Each stage serves to conceal the subsequent one, culminating in the deployment of a kernel-level rootkit that receives direct commands from the RAT itself. This layered approach renders ValleyRAT exceptionally challenging for security solutions to detect, analyze, and ultimately remove, explaining its prolonged operational activity without early detection.

Analysts at Gen Threat Labs first uncovered the campaign while investigating anomalous installer files that demonstrated polymorphic behavior, adapting for each victim. Gen Threat Labs said in a report shared with Cyber Security News (CSN) that their findings provide crucial insights into the advanced capabilities SilverFox has integrated into its malicious toolkit. The campaign remains active, with new samples emerging regularly, daily rotation of file paths on compromised systems, and ongoing refinements to the group’s delivery mechanisms.

The Eight-Stage Infection Chain of ValleyRAT

The ValleyRAT infection initiates via DLL sideloading, a technique where a malicious dynamic-link library is introduced alongside a legitimate, digitally signed application. Once executed, the malware immediately targets logging utilities and antivirus software, disabling them to prevent detection and forensic analysis. It then employs steganography, embedding its next payload within the pixel data of seemingly innocuous PNG images. This image-based concealment strategy is repeated at several points throughout the infection chain.

Upon escalating privileges, the malware extracts another payload from a second image. This payload is then unpacked using the Donut loader, a tool favored by attackers for executing shellcode in memory without leaving persistent traces on disk. Following this, the core ValleyRAT orchestrator takes control, launching a RAT developed in the Go programming language. This Go-based RAT establishes communication with its command and control (C2) servers using WebSocket and QUIC protocols, chosen for their ability to blend seamlessly with normal web traffic, further complicating detection efforts.

Subsequently, the RAT injects a specialized anti-antivirus tool into svchost.exe, a critical Windows process, to disable security software without raising suspicion. The final stage involves the installation of a kernel-level rootkit. This rootkit supports over 65 distinct command codes and receives instructions from the RAT via named pipes, an inter-process communication mechanism typically used by legitimate applications.

Data Theft, Persistence, and Evolving Targeting Strategies

Beyond establishing deep system access, ValleyRAT is engineered for data exfiltration. It actively monitors the clipboard for cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to redirect funds from unsuspecting users – a tactic that has proven effective in previous campaigns. The malware also targets Telegram data stored on infected systems, potentially exposing private conversations and account credentials.

SilverFox maintains flexibility post-infection, capable of pushing additional plugins to victims through named pipes. This modularity allows the threat actors to customize their attack capabilities based on the perceived value of a compromised target. Persistence is a key focus for SilverFox; researchers observed thirteen distinct polymorphic samples of the malware recompiled over a twelve-day period, each subtly altered to bypass signature-based detection. Furthermore, file paths within the C:Drivers folder, where the malware resides, are rotated daily, rendering static detection rules less effective.

The delivery mechanism primarily relies on trojanized installers that exploit legitimate, signed executable files. This approach allows the malware to bypass initial defenses that inherently trust signed software. This campaign highlights a significant evolution in RAT development, moving beyond simple remote control to encompass multi-stage loaders, steganography for payload concealment, and kernel-level rootkits that directly interface with user-space malware.

What You Should Do

  • Implement Application Whitelisting: Restrict the execution of unauthorized applications to prevent malicious installers from running.
  • Monitor for Unusual Activity: Pay close attention to unexpected child processes originating from svchost.exe and any anomalous named pipe activity.
  • Verify Digital Signatures: Scrutinize installers and executable files, ensuring their digital signatures are legitimate and haven’t been tampered with.
  • Enhance Endpoint Detection & Response (EDR): Utilize advanced EDR solutions capable of detecting sophisticated multi-stage attacks and behavioral anomalies, rather than relying solely on signature-based detection.
  • Educate Users: Train employees to recognize and report suspicious emails or downloads, particularly those involving software installers from untrusted sources.
  • Regularly Update Security Software: Ensure all antivirus and anti-malware solutions are updated to their latest versions to benefit from the newest threat intelligence.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features

Next Post

Gentlemen Ransomware Exploits 21 Remote Execution Techniques

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
FIFA World Cup Hype Used by Hackers to Steal PII and Payment Details
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us