cognitive cybersecurity intelligence

News and Analysis

Search

SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in Live ValleyRAT Campaign

SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in Live ValleyRAT Campaign

A new strain of remote access malware is quietly moving through corporate networks, and it does not behave like anything defenders have seen from this threat group before.

The malware, tracked as ValleyRAT, is deployed by a hacking group known as SilverFox, and it stands out for one reason: it refuses to stop at just one payload.

Most remote access trojans rely on two or three stages to reach full control of a machine. ValleyRAT runs through eight. Each stage hides the next, and the final one drops a kernel level rootkit that takes direct orders from the RAT itself.

That layering is not just for show. It makes ValleyRAT far harder to detect, analyze, and remove than a typical infostealer or backdoor, which explains why this campaign has stayed active without drawing early attention.

Analysts at Gen Threat Labs identified the campaign while tracking unusual installer files that kept modifying themselves for each new victim.

Gen Threat Labs said in a report shared with Cyber Security News (CSN) that their findings offer one of the clearest looks yet at how far SilverFox has pushed its tooling.

The campaign is still live at the time of writing. Fresh samples keep appearing, file paths on infected machines rotate daily, and the group appears to be actively refining its delivery methods.

SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit

The infection begins with DLL sideloading, where a malicious file is smuggled in alongside a legitimate, signed application.

Once running, the malware disables logging tools and antivirus scanning before hiding its next payload inside the pixel data of ordinary looking PNG images.

That image based hiding technique, known as steganography, repeats at multiple points in the chain.

After gaining higher privileges, the malware pulls another payload from a second image, then unpacks shellcode using a loader called Donut, popular for running code without leaving obvious traces on disk.

Most RATs have 2, maybe 3 stages. SilverFox's #ValleyRAT runs eight — and the last one is a kernel rootkit that takes orders from the RAT over named pipes. Campaign is live right now.

Kill chain in full: DLL sideload → ETW/AMSI bypass + PNG stego (payload hidden in pixel…— Gen Threat Labs (@GenThreatLabs) July 1, 2026

The ValleyRAT orchestrator then takes over and launches a RAT written in the Go programming language.

This component talks to its command and control servers over WebSocket and QUIC connections, chosen because they blend easily into normal web traffic.

The RAT injects a tool built to disable antivirus software into svchost, a core Windows process that rarely draws suspicion.

Finally, a kernel rootkit is installed, supporting more than 65 command codes and taking instructions from the RAT through named pipes, a channel normally used for program to program communication.

Data Theft, Persistence, and Victim Targeting

Beyond gaining access, ValleyRAT is built to steal. It monitors the clipboard for cryptocurrency wallet addresses and swaps them with ones controlled by the attackers, a trick that has quietly drained funds from unsuspecting users in past campaigns.

The malware also targets Telegram data stored on infected machines, giving attackers access to private conversations and account details.

Additional plugins can be pushed to victims after infection, again delivered through named pipes, letting SilverFox tailor its toolkit to whatever a target is worth.

Persistence is treated just as seriously as theft. Researchers observed thirteen distinct polymorphic samples recompiled over a twelve day window, each slightly different to dodge signature based detection.

File paths rotate daily under a folder labeled C:\Drivers, a small detail that makes static detection rules less reliable.

Delivery relies on trojanized installers that abuse otherwise legitimate, signed executable files, helping the malware slip past users and tools that trust signed software by default.

Organizations are encouraged to watch for unusual named pipe activity, unexpected child processes under svchost, and installers that do not match known good signatures.

The case is a reminder that RAT development has moved well past simple remote control tools. Defenders now have to account for multi stage loaders, image based payload hiding, and rootkits that answer directly to malware running in user space.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionSHA-256 Hash520304a1cabdd9aa05c0a769c3874bc3cc2608d8e71ae607ca2bdf96b298b5deTrojanized installer used to initiate the infection chain Domain (C2)3w[.]jxuw3[.]comWebSocket command and control endpoint Domain (C2)df[.]sjickdeh[.]orgWebSocket command and control endpoint 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in Live ValleyRAT Campaign appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts