criticalAPT

ValleyRAT Surge: 20 Samples in 4 Days as Silver Fox Accelerates Campaign

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentTimeline (2024-2026)

aptdll-sideloadingphishingc2exploitspearphishing

title: "ValleyRAT Surge: 20 Samples in 4 Days as Silver Fox APT Accelerates Multi-Vector Campaign With BYOVD and DLL Sideloading" subtitle: "A DLL payload joins an unprecedented wave of ValleyRAT deployments across MSI installers, EXEs, and archives -- backed by 22 C2 IPs, the Winos 4.0 framework, and a vulnerable driver that kills Windows Defender" tags: ["ValleyRAT", "Silver-Fox", "DLL-sideloading", "BYOVD", "Winos", "APT", "China", "stealer"]

ValleyRAT Surge: 20 Samples in 4 Days as Silver Fox Accelerates Campaign

Twenty ValleyRAT samples submitted to MalwareBazaar in four days. DLLs, EXEs, MSI installers, ZIP archives -- every delivery vector in the playbook. This is not a drip campaign. This is Silver Fox APT flooding the zone.

A new DLL payload (SHA256: fa61bf2cdef96ac5cb948e0f69863c4b23b1f509ad7ce5b9b8b811faca5cfba2, 373KB) was uploaded on March 12, 2026. Cross-referencing with two prior Breakglass Intelligence investigations reveals it belongs to a unified March 2026 campaign wave that has deployed 22 unique C2 IP addresses and 30+ domains across Alibaba Cloud, Tencent Cloud, SpeedVM, Vultr, Cloud Innovation (Seychelles), and Microsoft Azure. The campaign uses the "codemark" builder variant, XOR-encrypted configs, DLL sideloading through legitimate applications (Douyin, Microsoft Teams, tax software), and a vulnerable driver (wsftprm.sys) that terminates Windows Defender at the kernel level.

Key Findings

20 samples in 4 days (March 8-12): The highest upload velocity observed for ValleyRAT on MalwareBazaar, with 8 explicitly tagged SilverFox
DLL sideloading payload: 373KB DLL matches the documented tier0.dll / sscronet.dll pattern used with Douyin, Microsoft Teams, and tax software executables
BYOVD (Bring Your Own Vulnerable Driver): wsftprm.sys (Topaz OFD) driver kills Protected Process Light security agents including Windows Defender
22 C2 IPs mapped across the broader campaign, with TEDDY2012 hostname OPSEC failure on Vultr Singapore node
Multi-provider infrastructure: Deliberate hosting diversification across 7+ cloud providers and 3+ registrars
Builder leak acceleration: Public leak of ValleyRAT builder on GitHub in March 2025 produced ~6,000 samples in 12 months, with 85% appearing in the latter half
Expanding targets: Chinese-speaking users, Taiwanese organizations (tax/e-invoice lures), and US/Canadian healthcare (trojanized DICOM viewers)

Attack Chain

[Initial Access]
  |-- SEO Poisoning (fake Chrome/Teams/Huorong AV)
  |-- Spearphishing (tax lures, payroll documents)
  |-- Trojanized software (Foxit Reader, WPS Office)
      |
      v
[DLL Sideloading]
  Legitimate .exe loads malicious DLL (tier0.dll, sscronet.dll, etc.)
      |
      v
[BYOVD: wsftprm.sys]
  Vulnerable Topaz OFD driver loaded via NtLoadDriver
  IOCTL calls kill PPL security processes (Windows Defender)
      |
      v
[XOR Config Decryption]
  Single-byte XOR (0x44 / 0xDC / 0x36 / 0x27)
  "codemark" campaign marker validation
      |
      v
[C2 Establishment]
  TCP port 6666 / 8888 / custom
  22 IPs across 7+ cloud providers
      |
      v
[Plugin Deployment]
  File management, screen capture, keylogger
  Registry-resident for fileless persistence

The BYOVD Problem

The campaign's most concerning capability is its integration of wsftprm.sys, a legitimately signed driver from Topaz OFD with a known vulnerability. The attack flow:

Elevate privileges: UAC bypass via COM hijacking (ICMLuaUtil / CMSTP / fodhelper)
Load vulnerable driver: NtLoadDriver via ntdll.dll native API resolution
Kill security processes: IOCTL calls to terminate Protected Process Light agents
Windows Defender dies: The primary consumer endpoint protection is eliminated before any malicious payload executes

This is not theoretical. The driver is signed, so Windows loads it without complaint. The IOCTL interface provides kernel-level process termination. And the technique has been active in the March 2026 campaign wave.

Infrastructure Scale

The March 2026 campaign uses deliberate hosting diversification:

Provider	IPs	Region
Alibaba Cloud	4	China
SpeedVM/ANTBOX	3	Asia
Tencent Cloud	2	China
Vultr	1	Singapore
Cloud Innovation	1	Seychelles
Microsoft Azure	1	Global
Cogent Communications	1	US

OPSEC failure: The Vultr Singapore node (207[.]148[.]123[.]69) has hostname TEDDY2012 -- a personal identifier that links across multiple C2 servers in the campaign.

Registrar clustering: Gname.com (Singapore) serves as the primary registrar with share-dns.net/share-dns.com nameservers, creating a fingerprint that connects 30+ domains to the same operator.

IOCs

Primary Sample:

Type	Value
SHA256	`fa61bf2cdef96ac5cb948e0f69863c4b23b1f509ad7ce5b9b8b811faca5cfba2`
Size	373,760 bytes
Type	DLL

Selected C2 IPs (from broader campaign):

207[.]148[.]123[.]69   # Vultr Singapore (TEDDY2012)
108[.]187[.]4[.]192    # Cross-investigation overlap
108[.]187[.]7[.]232    # Cross-investigation overlap

BYOVD Driver:

wsftprm.sys (Topaz OFD) -- legitimately signed, vulnerable to IOCTL-based process termination

MITRE ATT&CK

Technique	ID	Application
DLL Side-Loading	T1574.002	Legitimate apps load malicious DLLs
Exploitation for Defense Evasion	T1211	BYOVD wsftprm.sys kills Defender
Subvert Trust Controls: Code Signing	T1553.002	Signed vulnerable driver loaded by OS
UAC Bypass	T1548.002	COM hijacking (ICMLuaUtil/CMSTP/fodhelper)
Modify Registry	T1112	Registry-resident fileless plugins
Screen Capture	T1113	Differential screen capture module
Input Capture: Keylogging	T1056.001	SetWindowsHookEx keylogger
Application Layer Protocol	T1071.001	HTTP/TCP C2 on multiple ports

Conclusion

Silver Fox is operating at a tempo that commodity malware operators would envy. Twenty samples in four days, 22 C2 IPs, 7+ hosting providers, multiple delivery vectors, and a BYOVD capability that neutralizes endpoint protection before the real payload runs. The public builder leak in March 2025 accelerated sample proliferation, but the coordinated infrastructure and consistent "codemark" builder variant indicate a centralized operation, not scattered copycats. The targeting expansion from Chinese-speaking populations to Taiwan, Japan, Malaysia, and US/Canadian healthcare makes this a global concern. Hunt for the wsftprm.sys driver load, monitor Gname.com-registered domains with share-dns.net nameservers, and track the TEDDY2012 hostname across your network logs.

Indicators of Compromise(35)

ip2.0.0.0

ip108.187.4.192

ip108.187.4.252

ip108.187.7.20

ip108.187.7.232

ip108.187.40.191

ip207.148.123.69

ip119.28.70.225

ip47.86.111.52

ip47.236.232.206

ip8.219.93.253

ip8.217.149.107

ip43.98.243.193

ip43.98.246.18

ip47.76.86.151

ip154.86.19.38

ip154.211.5.176

ip134.122.155.138

ip134.122.128.131

ip206.238.115.154

domaingname.com

domainshare-dns.net

domainshare-dns.com

domainhndnsv2.com

domainmsthiyun.com

domainwentianskw168.com

domain2akks6668.com

domainusd56789.com

domain6668.com

domainaliyuncs.com

sha256fa61bf2cdef96ac5cb948e0f69863c4b23b1f509ad7ce5b9b8b811faca5cfba2

sha256490a5bf534bc615c35443551adf8e23208a2b89b694cbeaa678f5206117b053c

sha256ac88b82ebc65a8285c993396560c30fbb9d16c260e026e25eb036e028764e013

sha25664ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a

sha256156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe

Related Reports

critical

CVE-2026-21509: A Zero-Click Office Exploit Hiding Behind a Pakistani Government Server

3/17/2026

critical

When Nation-States Become Ransomware Affiliates: Lazarus Group Deploys Medusa via a Custom IME-Based Loader

3/17/2026

critical

GoToResolve: The Legitimately Signed Backdoor Your EDR Will Never Flag

3/12/2026