The cybersecurity community recently witnessed the emergence of targeted malware campaigns linked to the Silver Fox threat group. <\/p>\n
This operation focuses heavily on Asia, targeting local organizations with carefully localized lures. <\/p>\n
By disguising attacks as routine business communications, actors successfully distributed the Winos 4.0 malware, known as ValleyRat, into corporate networks.<\/p>\n
To compromise victim systems, attackers leverage deceptive phishing emails<\/a> containing malicious attachments or embedded links. <\/p>\n These messages closely impersonate official government correspondence, such as tax audit notifications, software installers, and electronic invoice downloads.<\/p>\n When a user interacts with these files, they trigger a complex infection chain that operates quietly, minimizing the chances of immediate user suspicion.<\/p>\n The final impact of a successful infection is severe, leading to widespread file encryption and extensive data theft<\/a> that can fuel further cyberattacks. <\/p>\n Fortinet researchers identified the malware<\/a> and its infrastructure as highly volatile, utilizing a rotating network of cloud domains to host their payloads. <\/p>\n This rapid shifting of resources makes traditional static domain blocking mostly ineffective as a primary defense measure against the ongoing Winos 4.0 operations.<\/p>\n Once inside a network, the Silver Fox group employs advanced detection evasion strategies to maintain access and control. <\/p>\n The attackers deliver an archive containing a legitimate application that secretly sideloads a malicious dynamic link library into memory.<\/p>\n This stage sets the foundation for a \u201cBring Your Own Vulnerable Driver\u201d attack. The malware loads a validity-signed Windows kernel-mode driver, named wsftprm.sys, to silently acquire elevated system privileges<\/a> without alerting administrators.<\/p>\n After securing kernel-level access, the malicious driver enters a continuous monitoring loop to identify and terminate active security processes. <\/p>\n By targeting a vast array of popular antivirus and endpoint protection tools<\/a>, the malware creates a completely blind environment. This allows Winos 4.0 to operate, escalate its privileges, and maintain remote communication with its command server unimpeded.<\/p>\n To effectively defend against these highly sophisticated techniques, organizations must treat all unexpected documents and external links with extreme caution. <\/p>\n Security teams should implement behavioral monitoring tools, continuously update endpoint protection signatures, and deploy strong email filtering solutions to proactively detect evasive phishing attempts before they occur.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Silver Fox APT Uses DLL Sideloading and BYOVD Techniques in Sophisticated Malware Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjfOq2dwewTUAoJgeLdpzhYURy8Ycd76TvuKF8yUbQyiC4aFWaXbqvY9qqunlDIg8gSsrMKSFPRQTrGI5pm13lRwAf3HaPjgMJZPK-bJXebb1cKcv9E21ZkEE4M0ry1bF8iQZ3KL0KqR4U-J-_tL2IgP2xVK7-sTxJRv4X_Ysx8GWA9Lbyzk7ww50dLsy0\/s16000\/Tax-themed%2520phishing%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
![\"Attacker\u2019s](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpPZsvtCH5CEXntQI5q4pz2D9kzKcwUwuVZvU9et942fCP20Mc4jN-4Ue6WOYe1pd0LFAqCv7zmv3bIShuqbLmm47iqHZn2b5dXhVzcmWr3U8inHhLrNLiUK7EacScUcR0HLZYO67YYfzi4r-J-2s1YJb-HwqMO-C9JCHs6Sx7NZsfxb2wo-LmMjKhyaA\/s16000\/Attacker%25E2%2580%2599s%2520domain%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
Advanced Detection Evasion Techniques<\/strong><\/h2>\n
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEivSYzURGan0OlmLeinxabV_CMusa7XfdUfVIeDtWNfM4K4Tc9kS3JjcfoSif_UHHHANhdZ_MmfUk7C9ze6oLI_hPG85IHCfMyKBMxGgxR1I5szCiCy0ZT97jsPV_F1iGYBGdEnYw2GN6vek9urgNUzRBgZ47QEWxzOqvSUBXOBJZ5PK-TwxDedPi4ZS_E\/s16000\/The%2520execution%2520file%2520and%2520the%2520malicious%2520DLL%2520file%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
![\"Archive](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh9QwHCgnAIke_k0mlzUCWE258pVxsNo7-cnqDYlEXNstDzdXAzTJ55pvYGgBR5xN1HM-YeP3hEE5AvhnCnDf7SGVNgHQRzqwmfXYsaGSNFYifyz35B9NjprTA6BiY3dLUDRLodw1yaKnOBHzUnGeAGNfmx-t4gi2fdjsdiyUkcDnvZ4I-lyP3KMUAgkYI\/s16000\/Archive%2520contents%2520with%2520LNK%2520and%2520social-engineering%2520decoys%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")