Breakglass Intelligence linked multiple March and April malware waves to the SilverFox threat actor, describing a broad Chinese-language campaign built around ValleyRAT on the Winos4.0 framework and supported by Gh0stRAT and RustyStealer. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into C:\WeChat\, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America.
The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to 22 to 75 command-and-control endpoints and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the codemark builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as TEDDY2012, and domain registration details that appeared to expose operator identity. Separate reporting also described a related Gh0stRAT/Farfli "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
12 events from the most recent confirmed update back to the earliest known activity.
During analysis of the MaQ RAT campaign, researchers identified a live victim in Istanbul, Turkey, running Windows 11 and actively beaconing. Breakglass also published YARA rules, Suricata signatures, STIX data, and indicators of compromise for the campaign.
By 2026-04-05, researchers documented a malicious archive named "fiyat teklifi.rar" exploiting CVE-2025-8088 in WinRAR to place malware in the Windows Startup folder via NTFS alternate data streams. The chain downloaded a PyInstaller-packed Python malware dubbed MaQ RAT from a live Google Cloud server and used a Telegram bot named @Roberta3358_bot plus FTP for command-and-control and exfiltration.
In the April 2026 expansion, researchers found that ios163[.]com resolved to a server hosting both malware infrastructure and a Chinese-language phone farm control platform. This overlap suggested operational blending between a commercial-looking service and malicious infrastructure.
By 2026-04-01, Breakglass reported that SilverFox had expanded its operation over the prior 10 days to more than 30 samples spanning ValleyRAT, Gh0stRAT, and RustyStealer. The campaign used Chinese-language lures themed around layoffs, scam compounds, Telegram, and AI tools, and relied on 75 command-and-control endpoints across 17 domains.
A Gh0stRAT variant tracked as Farfli or Venik was submitted to VirusTotal on 2026-03-14. The packed sample used a multi-stage dropper chain, established persistence via HKCU Run keys, and communicated over TCP/6658 with infrastructure tied to wisemansupport.com and api.wisemansupport.com.
Samples submitted between 2026-03-11 and 2026-03-14 were assessed as part of a single Chinese-language SilverFox campaign delivering ValleyRAT built on the Winos4.0 framework. Researchers identified more than 20 binaries, at least four active command-and-control endpoints, multiple lure themes, and repeated OPSEC failures including exposed management services and registrant clues.
On 2026-03-13, Breakglass reported an active ValleyRAT v3 campaign using a modified WinRAR self-extracting archive disguised as a Chinese-language document. The malware extracted files into C:\WeChat\, launched a legitimate WeChat binary as a decoy, and used Chinese-locale geofencing, anti-VM checks, and encrypted payload delivery.
By 2026-03-12, analysis linked the ValleyRAT/Winos4.0 activity to the SilverFox cluster with high confidence based on Chinese-language artifacts, registrar patterns, and infrastructure overlaps. Investigators also documented OPSEC failures including an exposed Vultr Singapore server with the hostname TEDDY2012 and internet-accessible RDP.
Between 2026-03-08 and 2026-03-12, researchers observed 20 ValleyRAT samples uploaded to MalwareBazaar, with infrastructure spanning 22 command-and-control IPs and more than 30 domains. The campaign used DLL sideloading, MSI and ZIP delivery, and in some cases abused the vulnerable Topaz OFD driver to kill Protected Process Light security tools.
The same ValleyRAT "codemark" loader was uploaded to MalwareBazaar on 2026-03-10, less than 24 hours after compilation. This provided early public visibility into the March 2026 SilverFox-linked offensive activity.
A ValleyRAT Stage 2 shellcode loader associated with the "codemark" campaign was compiled on 2026-03-09. The sample used XOR 0x44 encryption, embedded shellcode, and configuration pointing to three command-and-control channels.
On 2026-03-05, Breakglass reported a new SilverFox-attributed ValleyRAT Stage 2 sample using a bare-IP command-and-control server at 108.187.4.252 on ports 447 and 448, indicating a shift from historically Tencent Cloud-hosted infrastructure to US-based VPS providers. The signed 64-bit malware dropped a Chinese-language PowerPoint decoy and supported capabilities including process injection, keylogging, clipboard monitoring, system discovery, and likely registry persistence.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
intel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.