What happened
Security researchers discovered a new malware loader called Foxveil that uses legitimate cloud platforms such as Cloudflare Pages, Netlify, and Discord to retrieve and execute malicious payloads while blending into normal network traffic. Active since August 2025, Foxveil operates in multiple variants that download shellcode from attacker-controlled staging infrastructure and execute it using techniques such as Early Bird APC injection or self-injection into running processes. The malware establishes persistence by registering Windows services or dropping executables into system directories like SysWOW64 using filenames mimicking legitimate processes, and includes runtime string mutation to evade detection by security tools.
Who is affected
Organizations and users running Microsoft Windows systems are affected if Foxveil is executed, as the malware establishes persistent access and downloads additional payloads from attacker-controlled infrastructure.
Why CISOs should care
Foxveil demonstrates how attackers increasingly abuse trusted cloud infrastructure to evade traditional detection methods, enabling persistent access and payload delivery within enterprise environments.
3 practical actions
- Monitor for suspicious staged downloads. Detect unusual downloads from Cloudflare Pages, Netlify, and Discord infrastructure.
- Audit Windows persistence mechanisms. Review system directories and services for unauthorized executables mimicking legitimate processes.
- Deploy behavior-based detection controls. Identify shellcode injection and anomalous process execution activity.