SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in ValleyRAT Campaign

Related

Gaslight macOS Malware Uses Prompt Injection to Evade AI Security Analysis

What happened Moonlock researchers reported a new Rust-based macOS malware...

NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

What happened A joint operation involving Google, the FBI, Lumen...

JadePuffer Ransomware Used AI Agent to Automate Entire Attack

What happened Researchers from Sysdig identified what they believe is...

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

What happened A newly discovered cyberattack campaign is delivering a...

New macOS Malware Uses Fake Errors to Confuse AI Analysis Tools

What happened A newly discovered macOS malware family named Gaslight...

Share

What happened

Gen Threat Labs identified an active SilverFox campaign deploying ValleyRAT through a complex multi-stage infection chain. The malware begins with DLL side-loading, where a malicious file is placed alongside a legitimate signed application. Once running, the chain disables logging tools and antivirus scanning, then hides additional payloads inside ordinary-looking PNG images using steganography.

The infection chain reportedly runs through eight stages. After privilege escalation, the malware pulls another payload from a second image and uses the Donut loader to unpack shellcode without leaving obvious traces on disk. The ValleyRAT orchestrator then launches a Go-based RAT that communicates with command-and-control servers over WebSocket and QUIC connections, helping the traffic blend with normal web activity.

The RAT also injects an antivirus-killer tool into svchost, a core Windows process that may appear legitimate in isolation. The final stage installs a kernel-level rootkit that supports more than 65 command codes and receives instructions from the RAT through named pipes. Researchers said the campaign remains live, with fresh samples appearing, daily path changes on infected machines, and continued refinement of delivery methods.

Beyond remote control, ValleyRAT is built for theft and persistence. It can monitor the clipboard for cryptocurrency wallet addresses and replace them with attacker-controlled addresses, target Telegram data stored on infected machines, and receive additional plugins after compromise. Researchers observed 13 polymorphic samples recompiled over 12 days, with file paths rotating under a C:\Drivers folder to weaken static detection.

Who is affected

Windows users and corporate environments are directly affected if they execute trojanized installers used in the SilverFox campaign.

Organizations are especially exposed if users are allowed to run unfamiliar installers, trust signed executables without additional validation, or lack controls around DLL side-loading and post-exploitation behavior.

Cryptocurrency users and organizations using Telegram on workstations may face added risk because the malware can manipulate wallet addresses and collect Telegram-related data.

Why CISOs should care

This campaign shows how modern RAT operations have moved beyond simple remote access. ValleyRAT combines DLL side-loading, steganography, antivirus tampering, shellcode loading, Go-based command-and-control, named-pipe plugin delivery, and a kernel rootkit in one live campaign.

For CISOs, the kernel rootkit is the most serious escalation point. Once malware reaches the kernel level, detection, containment, and cleanup become more difficult, and reimaging may be safer than attempting manual removal.

The use of svchost injection and signed application abuse also complicates security monitoring. Each step can look legitimate unless defenders correlate the full chain of unusual process behavior, file paths, named pipes, and outbound traffic.

The polymorphic rebuild pattern matters as well. Frequent recompilation and daily file path changes mean static indicators alone will age quickly, so behavior-based detection is essential.

3 practical actions

  1. Monitor for DLL side-loading and suspicious installer behavior: The campaign begins with trojanized installers abusing legitimate signed executables. Security teams should validate installer sources, inspect unusual DLL loads, and alert on signed binaries launching unexpected child processes.
  2. Hunt for ValleyRAT post-exploitation patterns: Defenders should review unusual named pipe activity, unexpected child processes under svchost, WebSocket or QUIC connections to unfamiliar infrastructure, and file paths rotating under C:\Drivers.
  3. Treat rootkit infection as a high-severity endpoint event: ValleyRAT installs a kernel rootkit and disables security tooling. CISOs should isolate affected machines quickly, preserve forensic evidence, rotate exposed credentials, and consider full reimaging for confirmed infections.

More cybersecurity news:

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.