Share This:

Cybersecurity Threat AdvisorySilverFox threat actors are actively running a ValleyRAT campaign to bypass security controls, escalate privileges, and maintain deep system access while avoiding detection. Organizations should treat this as a high-priority threat. Continue reading this Cybersecurity Threat Advisory to protect against this threat.

What is the threat?

This threat is an active, multi-stage malware campaign operated by the SilverFox threat group that equipped ValleyRAT with additional components to gain full, stealthy control of Windows systems. The attackers use a Go-based RAT (Go RAT) for remote command and control, an antivirus disabler (AV killer) module to detect and disable security tools, and a kernel-mode rootkit to hide processes, files, and network activity while maintaining long-term persistence. Together, these components allow SilverFox to bypass endpoint defenses, escalate privileges, and carry out actions on compromised hosts, including credential theft, data exfiltration, and lateral movement, while remaining difficult for traditional security solutions to detect or remove.

Why is it noteworthy?

This campaign is noteworthy because it transforms a known RAT, ValleyRAT, into a sophisticated eight-stage intrusion framework that is typically associated with advanced, well-resourced threat actors. The addition of a kernel rootkit controlled by the RAT significantly increases stealth, persistence, and overall impact, making infections much harder to detect, investigate, and remediate. Because the campaign is active and equipped with extensive defense-evasion capabilities, organizations relying solely on traditional endpoint or signature-based controls face a greater risk of long-term compromise.

What is the exposure or risk?

This campaign poses a significant risk of stealthy, long-term compromise for organizations with internet-facing or poorly monitored Windows systems. The combination of a Go RAT, AV killer, and kernel rootkit enables SilverFox to bypass or disable endpoint protection, gain SYSTEM-level access, and conceal malicious activity from standard monitoring tools. Potential impacts include credential theft, data exfiltration, deployment of additional payloads (including ransomware), and lateral movement across the network. Because the rootkit operates in kernel mode, remediation is more complex, and traditional detection and cleanup methods may be ineffective without full system reimaging and a thorough incident response process.

What are the recommendations?

Barracuda strongly recommends organizations take the following steps to reduce risk and strengthen security:

  • Ensure Windows and all security tools are fully patched and up to date.
  • Prohibit downloading or installing software from untrusted or unknown sources.
  • Monitor for DLL sideloading activity and suspicious MSI-based installations.
  • Detect and block, or closely investigate, unusual WebSocket and QUIC traffic.
  • Enforce strict kernel driver signing requirements and application control policies.
  • Deploy EDR and AV solutions with strong behavioral and anomaly-based detection.
  • Monitor named pipe activity and unusual process execution chains for anomalies.
  • Conduct regular threat-hunting activities and ongoing user awareness training.

References

For more in-depth information about the recommendations, please visit the following link:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.


Share This:
Mona Gujral

Posted by Mona Gujral

Mona is a Cybersecurity Analyst at Barracuda. She's a security expert, working on our Blue Team within our Security Operations Center. Mona supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.