Silver Fox APT Uses DLL Sideloading and BYOVD Techniques in Sophisticated Malware Attacks

The cybersecurity community recently witnessed the emergence of targeted malware campaigns linked to the Silver Fox threat group.

This operation focuses heavily on Asia, targeting local organizations with carefully localized lures.

By disguising attacks as routine business communications, actors successfully distributed the Winos 4.0 malware, known as ValleyRat, into corporate networks.

To compromise victim systems, attackers leverage deceptive phishing emails containing malicious attachments or embedded links.

These messages closely impersonate official government correspondence, such as tax audit notifications, software installers, and electronic invoice downloads.

When a user interacts with these files, they trigger a complex infection chain that operates quietly, minimizing the chances of immediate user suspicion.

The final impact of a successful infection is severe, leading to widespread file encryption and extensive data theft that can fuel further cyberattacks.

Fortinet researchers identified the malware and its infrastructure as highly volatile, utilizing a rotating network of cloud domains to host their payloads.

This rapid shifting of resources makes traditional static domain blocking mostly ineffective as a primary defense measure against the ongoing Winos 4.0 operations.

Advanced Detection Evasion Techniques

Once inside a network, the Silver Fox group employs advanced detection evasion strategies to maintain access and control.

The attackers deliver an archive containing a legitimate application that secretly sideloads a malicious dynamic link library into memory.

This stage sets the foundation for a “Bring Your Own Vulnerable Driver” attack. The malware loads a validity-signed Windows kernel-mode driver, named wsftprm.sys, to silently acquire elevated system privileges without alerting administrators.

After securing kernel-level access, the malicious driver enters a continuous monitoring loop to identify and terminate active security processes.

By targeting a vast array of popular antivirus and endpoint protection tools, the malware creates a completely blind environment. This allows Winos 4.0 to operate, escalate its privileges, and maintain remote communication with its command server unimpeded.

To effectively defend against these highly sophisticated techniques, organizations must treat all unexpected documents and external links with extreme caution.

Security teams should implement behavioral monitoring tools, continuously update endpoint protection signatures, and deploy strong email filtering solutions to proactively detect evasive phishing attempts before they occur.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.