ValleyRAT (Winos 4.0) delivery via all-in-one loader
Malware Activity
Summary
Hide ▲
Show ▼
A Silver Fox operation is delivering ValleyRAT (Winos 4.0) through an all-in-one loader that uses anti-analysis checks and embedded drivers, increasing the chance that infected Windows systems are fully compromised before defenses react. The payload chain is built to evade detection, disable endpoint protection, and then fetch a modular backdoor from C2 infrastructure. The result is remote access and control on targeted machines after the defensive layer has been suppressed.
Related Happenings
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
How related:
As observed before, the campaign is designed to deliver ValleyRAT (aka Winos 4.0) as the final payload, providing remote access and control capabilities to the threat actor.
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignHow related: As observed before, the campaign is designed to deliver ValleyRAT (aka Winos 4.0) as the final payload, providing remote access and control capabilities to the threat actor.
About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
RustyWater RAT adds asynchronous C2 and Windows Registry persistence
Malware Activity
First: 10.01.2026 12:35
Last: 10.01.2026 12:35
Sources 1
About this happening:
**RustyWater** is being used as a **Rust-based RAT implant** that can profile victims, maintain **Windows Registry** persistence, and execute commands on **Windows** systems. The...
RustyWater RAT adds asynchronous C2 and Windows Registry persistence
Malware ActivityAbout this happening: **RustyWater** is being used as a **Rust-based RAT implant** that can profile victims, maintain **Windows Registry** persistence, and execute commands on **Windows** systems. The...
UAC-0184 targets Ukrainian military and government entities via Viber-delivered malware
Campaign
First: 05.01.2026 19:56
Last: 05.01.2026 19:56
Sources 1
About this happening:
**UAC-0184** has shifted to **Viber-delivered malware** to target **Ukrainian military and government entities**, extending an active **2025** espionage operation. The initial lur...
UAC-0184 targets Ukrainian military and government entities via Viber-delivered malware
CampaignAbout this happening: **UAC-0184** has shifted to **Viber-delivered malware** to target **Ukrainian military and government entities**, extending an active **2025** espionage operation. The initial lur...
Timeline
-
02.09.2025 11:39 2 articles · 8mo ago
Initial report: ValleyRAT (Winos 4.0) delivery via all-in-one loader
Initial DisclosureThe delivery chain begins with a single loader that performs **Anti-VM**, **Anti-Sandbox**, and **hypervisor detection** checks before executing further stages. If those checks pass, the loader uses embedded drivers and a downloader to prepare the host for **ValleyRAT** deployment.
Show sources
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39