SilverFox Expands ValleyRAT and Gh0stRAT Campaigns Against Chinese-Speaking Targets
Breakglass Intelligence linked multiple March and April malware waves to the SilverFox threat actor, describing a broad Chinese-language campaign built around ValleyRAT on the Winos4.0 framework and supported by Gh0stRAT and RustyStealer. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into C:\WeChat\, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America.
The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to 22 to 75 command-and-control endpoints and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the codemark builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as TEDDY2012, and domain registration details that appeared to expose operator identity. Separate reporting also described a related Gh0stRAT/Farfli "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.
Timeline
Apr 5, 2026
Active Istanbul victim observed during MaQ RAT investigation
During analysis of the MaQ RAT campaign, researchers identified a live victim in Istanbul, Turkey, running Windows 11 and actively beaconing. Breakglass also published YARA rules, Suricata signatures, STIX data, and indicators of compromise for the campaign.
Apr 5, 2026
WinRAR zero-day campaign delivered MaQ RAT to Turkish target
By 2026-04-05, researchers documented a malicious archive named "fiyat teklifi.rar" exploiting CVE-2025-8088 in WinRAR to place malware in the Windows Startup folder via NTFS alternate data streams. The chain downloaded a PyInstaller-packed Python malware dubbed MaQ RAT from a live Google Cloud server and used a Telegram bot named @Roberta3358_bot plus FTP for command-and-control and exfiltration.
Apr 1, 2026
Phone farm domain linked to SilverFox malware infrastructure
In the April 2026 expansion, researchers found that ios163[.]com resolved to a server hosting both malware infrastructure and a Chinese-language phone farm control platform. This overlap suggested operational blending between a commercial-looking service and malicious infrastructure.
Apr 1, 2026
SilverFox expanded campaign to 30+ samples across three malware families
By 2026-04-01, Breakglass reported that SilverFox had expanded its operation over the prior 10 days to more than 30 samples spanning ValleyRAT, Gh0stRAT, and RustyStealer. The campaign used Chinese-language lures themed around layoffs, scam compounds, Telegram, and AI tools, and relied on 75 command-and-control endpoints across 17 domains.
Mar 14, 2026
WisemanSupport Gh0stRAT/Farfli sample submitted and analyzed
A Gh0stRAT variant tracked as Farfli or Venik was submitted to VirusTotal on 2026-03-14. The packed sample used a multi-stage dropper chain, established persistence via HKCU Run keys, and communicated over TCP/6658 with infrastructure tied to wisemansupport.com and api.wisemansupport.com.
Mar 14, 2026
Five March samples linked into one broader SilverFox campaign
Samples submitted between 2026-03-11 and 2026-03-14 were assessed as part of a single Chinese-language SilverFox campaign delivering ValleyRAT built on the Winos4.0 framework. Researchers identified more than 20 binaries, at least four active command-and-control endpoints, multiple lure themes, and repeated OPSEC failures including exposed management services and registrant clues.
Mar 13, 2026
WeChat-themed ValleyRAT dropper campaign observed active
On 2026-03-13, Breakglass reported an active ValleyRAT v3 campaign using a modified WinRAR self-extracting archive disguised as a Chinese-language document. The malware extracted files into C:\WeChat\, launched a legitimate WeChat binary as a decoy, and used Chinese-locale geofencing, anti-VM checks, and encrypted payload delivery.
Mar 12, 2026
Researchers tied March ValleyRAT infrastructure to SilverFox cluster
By 2026-03-12, analysis linked the ValleyRAT/Winos4.0 activity to the SilverFox cluster with high confidence based on Chinese-language artifacts, registrar patterns, and infrastructure overlaps. Investigators also documented OPSEC failures including an exposed Vultr Singapore server with the hostname TEDDY2012 and internet-accessible RDP.
Mar 12, 2026
SilverFox ValleyRAT activity surged across multiple samples and C2s
Between 2026-03-08 and 2026-03-12, researchers observed 20 ValleyRAT samples uploaded to MalwareBazaar, with infrastructure spanning 22 command-and-control IPs and more than 30 domains. The campaign used DLL sideloading, MSI and ZIP delivery, and in some cases abused the vulnerable Topaz OFD driver to kill Protected Process Light security tools.
Mar 10, 2026
ValleyRAT sample uploaded to MalwareBazaar
The same ValleyRAT "codemark" loader was uploaded to MalwareBazaar on 2026-03-10, less than 24 hours after compilation. This provided early public visibility into the March 2026 SilverFox-linked offensive activity.
Mar 9, 2026
ValleyRAT loader compiled in early March 2026
A ValleyRAT Stage 2 shellcode loader associated with the "codemark" campaign was compiled on 2026-03-09. The sample used XOR 0x44 encryption, embedded shellcode, and configuration pointing to three command-and-control channels.
Mar 5, 2026
SilverFox ValleyRAT sample showed pivot to US-based VPS infrastructure
On 2026-03-05, Breakglass reported a new SilverFox-attributed ValleyRAT Stage 2 sample using a bare-IP command-and-control server at 108.187.4.252 on ports 447 and 448, indicating a shift from historically Tencent Cloud-hosted infrastructure to US-based VPS providers. The signed 64-bit malware dropped a Chinese-language PowerPoint decoy and supported capabilities including process injection, keylogging, clipboard monitoring, system discovery, and likely registry persistence.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
3 more from sources like breakglass intel
Related Stories
ValleyRAT Malware Campaigns Targeting Chinese Organizations and Job Seekers
Threat actors have launched multiple campaigns distributing the ValleyRAT remote access trojan (RAT), targeting both organizations in China and job seekers. In one campaign, the group known as Silver Fox used search engine optimization (SEO) poisoning and fake Microsoft Teams installers to lure Chinese-speaking users, including those in Western companies operating in China, into downloading a trojanized setup file. The installer, disguised with Russian linguistic elements to mislead attribution, deploys ValleyRAT, which enables remote control, data exfiltration, and persistent access to infected systems. The malware loader checks for security software like 360 Total Security and manipulates Microsoft Defender exclusions to evade detection. A separate ValleyRAT campaign has been observed targeting job seekers via malicious emails that leverage a weaponized Foxit PDF Reader for DLL side-loading. This campaign uses social engineering to trick users into executing the malware, which then allows attackers to monitor activity, steal sensitive data, and potentially compromise HR professionals as well. Both campaigns demonstrate a high level of sophistication, utilizing layered obfuscation, dynamic execution techniques, and strategic targeting to maximize infection rates and evade security controls. Security vendors have updated detection and hunting capabilities to address these threats, emphasizing the need for vigilance among organizations and individuals alike.
1 months ago
Chinese-Language Malware Operations Exposed Through GoLoader, ValleyRAT, and FUD Crypt
Researchers uncovered multiple malware operations using scalable builder and crypting infrastructure to deliver remote-access trojans and evade detection. Breakglass Intelligence found two unauthenticated **GoLoader** builder panels that had produced **468,349** polymorphic samples across 71 active tasks, while leaking Alibaba Cloud OSS credentials tied to a public bucket containing LNK droppers, polymorphic VBS scripts, steganographic PNG carriers, .NET loaders, and RAT payloads. The reconstructed infection chain ended with **njRAT**, and reversing its custom AES-256-ECB configuration revealed the C2 `laohe1[.]myvnc[.]com:5000`, overlapping with infrastructure previously associated with **XWorm**. The campaign was assessed with moderate confidence as operated by a Chinese-speaking actor using Simplified Chinese cryptocurrency lures. A separate Breakglass report linked **ValleyRAT** samples targeting Chinese-speaking users to a campaign that blended long-lived Hong Kong infrastructure with a likely compromised UK academic relay. One sample connected to `103.215.77[.]17:4488`, a Hong Kong-hosted server linked to dozens of related malware submissions, while another Rust loader masquerading as **Microsoft OneDrive Sync Engine** decrypted and loaded a ValleyRAT core DLL after sandbox checks; its stage-two C2 used a `govroam.cf.ac[.]uk` hostname resolving into Cardiff University space, suggesting temporary relay use through a compromised GovRoam-connected endpoint. In parallel, researchers analyzing the **FUD Crypt** malware-as-a-service platform found it packaged Windows malware with persistence, C2, and evasion features, tracked **200** registered users and **334** confirmed builds, and documented abuse of Microsoft **Azure Trusted Signing** to produce Microsoft-rooted Authenticode signatures for malicious binaries.
1 weeks ago
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
1 months ago