> Family · SilverFox (ValleyRAT)_

~/packetpursuit $ cat /intel/families/silverfox.md

typeentityconfidencehighcreated2026-05-29updated2026-06-04malware-familyloaderratdefense-evasionc2evasionobfuscation

SilverFox

SilverFox is a Windows malware cluster labeled by OpenCTI and MalwareBazaar. Static analysis reveals two distinct build variants: a larger Rust dropper (ed1a00479fe2) and a lean C stub (82d425516199) — both share identical stream-cipher constants, XOR-thunk API dispatch, resource-extraction logic, and process-hollowing behaviour, confirming they belong to the same family. Co-tagged valleyrat.

Overview

Attribute Detail
Platform Windows (PE32/PE32+); observed x64^[file.txt]
First observed 2026 (per triage timestamps)
Languages Rust (.buildid section, stdlib)^[pefile.txt:117] and C (rabin2 lang: c)^[rabin2-info.txt:17]
Linker variants MSVC 14.0 (Rust) and MSVC 6.0 (C)
Distribution Masqueraded as PDF documents with Chinese filenames^[triage.json]
Certificate Unsigned^[rabin2-info.txt:27]
Labels silverfox, valleyrat, trojan/silverfox.bg[qtsc]^[triage.json]

Build Stack

Two observed variants share the same runtime behaviour but diverge in compilation and packing layers:

Rust variant (ed1a00479fe2)

  • Compiler: rustc via x86_64-pc-windows-msvc target (MSVC 14.0 linker).^[pefile.txt:45]
  • Stripping: Full strip (external PDB reference).^[pefile.txt:39]
  • Sections: .text, .rdata, .buildid (Rust artifact), .data, .pdata, .tls, .rsrc, .reloc.^[pefile.txt:75]

C variant (82d425516199)

  • Compiler: C (rabin2 lang: c, no .buildid).^[rabin2-info.txt:17]
  • Linker: MSVC 6.0 (anachronistic for 2026 — possibly fabricated or legacy toolchain).^[pefile.txt:45]
  • Sections: .text, .rdata, .data, .pdata, .rsrc (5 sections).^[pefile.txt:75]
  • Size: 50 176 bytes (~one-third the Rust sibling).^[triage.json]
  • Thunk dispatch: Every API call indirected through a single XOR-decrypt thunk (fcn.0040789c in r2; >222 call sites).^[r2:fcn.0040789c]
  • API resolution: FNV-1a 64-bit hash resolver (basis 0xcbf29ce484222325, prime 0x100000001b3).^[r2:fcn.00407790]

Shared across both variants

  • VersionInfo: Randomized per build (e.g. JUjflFmsWFlu.exe, CHuWqU, KDePSx.exe).^[pefile.txt:321]
  • Stream-cipher constants: 0xcaaafe23, 0x3d57aa23, 0x44d9bb23, 0x9e37cb23.^[r2:fcn.00402e77]

Deploy / TTPs

ATT&CK ID Technique Implementation
T1055 Process Injection NtAllocateVirtualMemory + NtWriteVirtualMemory into remote/suspended target^[ghidra:FUN_140001030:1650]
T1055.012 Process Hollowing Self-CreateProcessW with CREATE_SUSPENDED; memory write to child^[ghidra:FUN_140001030:1850]
T1562.001 Impair Defenses Restores ntdll .text from disk via VirtualProtect overwrite^[ghidra:FUN_140001030:1580]
T1497.001 Sandbox Evasion Initial library export gate; exits if wrong environment^[ghidra:FUN_140001030:90]; C variant uses argc == 1 gate^[r2:entry0]
T1070.004 File Deletion MoveFileExW(MOVEFILE_DELAY_UNTIL_REBOOT) self-deletion^[ghidra:FUN_140001030:1900]
T1027.002 Obfuscated Files LZSS-compressed + custom stream cipher payload in .rsrc^[ghidra:FUN_140004000]
T1106 Native API Direct Nt* API usage; no VirtualAllocEx for remote allocation^[ghidra:FUN_140001030:1650]; C variant uses standard Win32 APIs via thunk^[r2:fcn.004049b4]

Variants / Aliases

  • OpenCTI/MalwareBazaar: silverfox, valleyrat, trojan/silverfox.bg[qtsc]
  • Relationship to ValleyRAT is unconfirmed at this depth — may be shared infrastructure, dual labeling, or a fork.

Capabilities

  • resource-embedded-payload-extraction
  • custom-stream-cipher-payload-decryption
  • lzss-payload-decompression
  • ntdll-text-unhook-from-disk (Rust variant only)
  • CreateRemoteThread-alternative-injection
  • suspended-child-process-hollowing
  • SeDebugPrivilege-elevation
  • self-delete-delayed-until-reboot
  • runtime-api-resolution
  • xor-thunk-api-dispatch (C variant; >222 call sites via single decrypt thunk)
  • fnv1a-64-api-resolution (C variant; basis 0xcbf29ce484222325)
  • environment-gate-sandbox-evasion
  • version-info-masquerade
  • NtQuerySystemInformation-module-enumeration
  • standard-iat-low-obfuscation
  • lzss-in-memory-payload-staging
  • ShellExecuteExW-fallback-execution

C stub variant (e772de93) — NEW

  • Masquerade: Sangfor Technologies Inc. / Sangfor Defender Antivirus Client UI / sfavui.exe^[pefile.txt:261-268]; dual VS_VERSIONINFO (EN-US + ZH-CN); 32 dual-language RT_ICON entries^[pefile.txt:445-1112]
  • Social engineering: Filename 2026.05.21裁员名单及补偿方案WPS.exe (Chinese staff list + severance compensation lure)^[triage.json]
  • Certificate: Authenticode PKCS#7 blob present (Microsoft Windows / Windows Production PCA 2011 chain)^[strings.txt:384-481]; signature validity unverified
  • Sandbox gate: argc <= 1 early exit^[r2:entry0]
  • API dispatch: XOR-thunk via DAT_xxxx ^ _DAT_00408000, 50-entry in-place decryption table^[ghidra:FUN_0040577e]

RC4 loader variant (139329dc9) — NEW

  • Compiler: MSVC 14.16 (C/C++).^[pefile.txt:49]
  • Linker: MSVC 2017/2019 (not 6.0, not Rust).^[exiftool.json:18]
  • Size: 173 056 bytes (~3.4× the C stub, ~1.1× the Rust sibling).^[triage.json]
  • Packing/encryption: Standard RC4 (not custom stream cipher) using a 28-byte key derived from XOR-obfuscated API strings; in-place section decryption of .text (0x22C00 bytes, entropy 7.998), .data, and import table.^[pefile.txt:95, r2:fcn.14002b8a0, r2:fcn.14002b360, r2:fcn.14002b470]
  • API resolution: PEB-walking (gs:[0x60]) to locate ntdll.dll, then export-table traversal to resolve LoadLibraryA, GetProcAddress, and VirtualProtect. No static imports used by the stub.^[r2:fcn.14002b5c0, ghidra:FUN_14002b5c0]
  • Anti-signature: All nine section names are null-filled; checksum is zeroed; LOAD_CONFIG and debug directories contain fabricated future-dated garbage.^[pefile.txt:80,424,480]
  • Payload clues: Strings Stub.dll and g_stcParam in the decryptor suggest a reflective DLL payload.^[strings.txt:439-440]
  • Social engineering: Chinese-language filename masquerading as an internal staff disciplinary list.^[triage.json]

C x64 Authenticode IAT variant (beb3a9d9) — NEW

  • Compiler: MSVC 14.0 (C).^[pefile.txt:45,exiftool.json:18]
  • Linker: MSVC 2015/2017 (not 6.0, not Rust).^[exiftool.json:18]
  • Size: 104 208 bytes (~medium weight between the 50K FNV-1a stub and the 173K RC4 loader).^[triage.json]
  • Packing/encryption: LZSS-compressed payload embedded directly in .rdata (no .rsrc section at all).^[pefile.txt:98-115]
  • API resolution: Standard IAT imports from KERNEL32, ntdll, ADVAPI32, SHELL32, PSAPI — not zero-IAT or PEB-walking.^[pefile.txt:268-361]
  • Signing: Authenticode PKCS#7 blob present (Microsoft Windows / Windows Production PCA 2011 chain).^[binwalk.txt:4-9]
  • Sandbox evasion: CreateToolhelp32Snapshot process enumeration with Sleep(1000) retry loops; anti-VM/AV process name checks via lstrcmpiW.^[r2:fcn.140001030]
  • Payload delivery: LZSS decompression via fcn.140004000 (12-bit window, SSE-accelerated copies) → NtAllocateVirtualMemory + NtWriteVirtualMemory into a suspended child created by CreateProcessW.^[r2:fcn.140001030,r2:fcn.140004000]
  • Self-deletion: Imports MoveFileExW^[pefile.txt:302]; sibling behavior strongly suggests MOVEFILE_DELAY_UNTIL_REBOOT use.
  • Social engineering: Chinese-language filename (2026.05.22裁员名单及补偿方案WPS.exe — staff-reduction list + severance compensation lure).^[metadata.json:4,triage.json:5]

Notable Analyses

  • ed1a00479fe2ea2555882c67719abc86e98b512f122aea79adacf37355cab996 — Rust x64 dropper with LZSS + stream cipher, ntdll unhooking, process hollowing.
  • 82d425516199d497c3a25edc4c3ad05c14469f697230f3ad17fe03ce73cd0216 — C x64 lean stub (50K) sharing same stream-cipher constants and thunk dispatch; uses FNV-1a API resolution and argc == 1 sandbox gate.
  • 139329dc9992e132f9c8d887ad685660161cefcfb0a18867d616a7d217a0605e — MSVC C++ x64 RC4 loader with zero section names, PEB-walking API resolution, and reflective DLL delivery.
  • e772de930167a24868814510021d73d8c061b4d7af0946ac302e53bb1c9cba56 — C x64 stub (~374 KB) with Sangfor EDR masquerade, dual-language .rsrc icon set, Authenticode signature, and XOR-thunk dispatch.
  • beb3a9d9fa738ac7ebac7dc8f5357c9a6673cfae1bc50fd73497d350afd5ed1c — C x64 Authenticode-signed sibling with LZSS .rdata payload, standard IAT, process enumeration, and sleep-loop sandbox evasion.
  • 452e085f42d6054435f95d363588f3d516f1a52d28b033f33a91e843ac4d720e — C++ x64 injector (228 KB) using standard IAT, LZSS decompressor at FUN_140004000, dual token escalators (FUN_1400038c0 / FUN_140003f80), VirtualAllocEx/NtWriteVirtualMemory hollowing, ShellExecuteExW fallback, and MoveFileExW self-delete. Unsigned; no anti-debug. Static-only.

Capabilities

  • resource-embedded-payload-extraction
  • custom-stream-cipher-payload-decryption
  • lzss-payload-decompression
  • rc4-section-decryption
  • ntdll-text-unhook-from-disk (Rust variant only)
  • CreateRemoteThread-alternative-injection
  • suspended-child-process-hollowing
  • SeDebugPrivilege-elevation
  • self-delete-delayed-until-reboot
  • runtime-api-resolution
  • xor-thunk-api-dispatch (C variant; >222 call sites via single decrypt thunk)
  • fnv1a-64-api-resolution (C variant; basis 0xcbf29ce484222325)
  • environment-gate-sandbox-evasion
  • peb-walking-api-resolution (RC4 loader variant)
  • rc4-in-place-section-decryption (RC4 loader variant)
  • zero-section-name-anti-signature (RC4 loader variant)
  • reflective-dll-stub-delivery (RC4 loader variant; Stub.dll + g_stcParam)
  • lzss-rdata-payload-embedding (Authenticode C variant)
  • Authenticode-signature-masquerade
  • process-enumeration-anti-vm-gate
  • sleep-loop-sandbox-evasion
  • standard-iat-resolution-low-obfuscation

Related Entities