Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Foxveil

Foxveil is a previously undocumented Windows malware loader assessed by Cato CTRL to have been active since August 2025. It abuses legitimate cloud/platform services—Cloudflare Pages, Netlify-hosted domains, and short-lived Discord attachment links (~24-hour lifetime)—as threat actor-controlled staging locations to retrieve next-stage payloads, primarily Donut-generated shellcode, in order to blend into normal enterprise traffic and evade reputation-based blocking.

Foxveil has at least two variants with different execution/injection tradecraft:

  • Variant 1 downloads shellcode (and additional executables) from Cloudflare Pages/Netlify, spawns a fake svchost.exe process, and executes the payload via Early Bird APC injection (queueing the APC while the target process is suspended before it fully resumes).
  • Variant 2 retrieves payloads from Discord attachments and performs self-injection within the same process context.

Persistence and staging behaviors reported include registering itself as a Windows service (noted for v1) and dropping additional executables/next-stage payloads into SysWOW64 using filenames that mimic legitimate Windows processes (e.g., sihost.exe, taskhostw.exe). Foxveil also includes a runtime string-mutation/rewriting mechanism intended to hinder static detection and reverse engineering by replacing “high-signal” strings (e.g., “payload,” “inject,” “shellcode,” “beacon,” “meterpreter,” “http://,” “.exe”) with randomly generated values during execution. One report notes v2 attempted to manipulate Microsoft Defender exclusions but appeared to remove an exclusion for SysWOW64 rather than add one (possibly operator error).

Cato CTRL noted indicators suggesting Cobalt Strike may be a later-stage payload (e.g., mutation list including “beacon” and observed localhost listening behavior on ports 9933 and 9934), but this was presented as an assessment rather than confirmed payload identification. Cato reported the malicious infrastructure to Cloudflare and Netlify; Netlify removed reported URLs on Jan. 19, 2026, and Cloudflare restricted access to reported URLs on Jan. 20, 2026.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1

"hosting payloads on trusted cloud services such as Google Drive and OneDrive"; "retrieve next-stage shellcode payloads... hosted on trusted platforms like Cloudflare Pages, Netlify, and Discord"; "Cloudflare is leveraged to front backend services and mask infrastructure details"

Persistence

2 techniques
T1112Modify RegistryEvidence1

"For persistence, Foxveil v1 registers itself as a Windows service..."

T1543.003Windows ServiceEvidence2

"Both versions establish persistence by either registering themselves as Windows services..."

Privilege Escalation

3 techniques
T1055Process InjectionEvidence2

"The second variant simplifies this process by performing self-injection within the same process context..."

T1055.004Asynchronous Procedure CallEvidence2

"Foxveil v1 spawns a new process impersonating svchost.exe and injects the malicious code into this process via an Early Bird Asynchronous Procedure Call (APC)."

T1543.003Windows ServiceEvidence2

"Both versions establish persistence by either registering themselves as Windows services..."

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence3

"distributed via a heavily obfuscated Inno Setup installer"; "Delivered via a downloader in a ZIP archive"; "illegally modified game installers distributed via piracy platforms"

T1036MasqueradingEvidence2

"...spawns a new process impersonating svchost.exe..."

T1055Process InjectionEvidence2

"The second variant simplifies this process by performing self-injection within the same process context..."

T1055.004Asynchronous Procedure CallEvidence2

"Foxveil v1 spawns a new process impersonating svchost.exe and injects the malicious code into this process via an Early Bird Asynchronous Procedure Call (APC)."

T1620Reflective Code LoadingEvidence1

"...leverages other techniques for evasion, including in-memory execution..."

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

"For persistence, Foxveil v1 registers itself as a Windows service..."

Command and Control

2 techniques
T1102Web ServiceEvidence1

"...staging locations hosted on Cloudflare Pages, Netlify domains, and Discord attachments... blend seamlessly into regular enterprise network traffic"

T1105Ingress Tool TransferEvidence3

"Foxveil abuses the legitimate platforms Discord, Cloudflare and Netlify for payload staging... retrieves Donut-generated shellcode hosted on legitimate platforms in order to blend in with normal traffic..."

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

"Foxveil v2 was noted to attempt to manipulate Microsoft Defender configurations... it removes an exclusion for the SysWOW64 path instead of adding one."

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
Feb 18, 2026
New 'Foxveil' Malware Loader Leverages Cloudflare, Netlify, and Discord to Evade Detection

A first-stage malware loader that abuses legitimate cloud services (Cloudflare Pages, Netlify, Discord attachments) as staging to download shellcode and secondary payloads, then executes via process injection (Early Bird APC injection with a fake svchost.exe in one variant; self-injection in the other). Establishes persistence via Windows service registration or by dropping masqueraded executables into SysWOW64 (e.g., sihost.exe, taskhostw.exe). Includes runtime string-mutation to evade static/signature detection by rewriting analysis/high-signal keywords.

Read more
risky biz rssNews
Feb 13, 2026
IcedID malware developer fakes his own death to escape the FBI

Malware loader family reported active since last August.

Read more
scworldNews
Feb 12, 2026
Foxveil malware loader abuses Discord, Cloudflare, Netlify for staging | SC Media

Malware loader that stages and retrieves Donut-generated shellcode from legitimate services (Discord attachments, Cloudflare, Netlify) to blend with normal traffic; executes in-memory, uses process injection (Early Bird APC in v1; self-injection in v2), persists via Windows service (v1), drops next-stage payloads into SysWOW64, and uses runtime string-mutation to evade analysis/detections; v2 attempts (but appears to fail) to modify Microsoft Defender exclusions.

Read more
the hacker newsNews
Feb 12, 2026
ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories

Loader campaign active since August 2025 designed to establish initial foothold, hinder analysis, and retrieve next-stage shellcode from staging hosted on trusted platforms (e.g., Cloudflare Pages, Netlify, Discord).

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.