ESET Research

Note that even though ESET observes the most activity in 🇯🇵 Japan, Silver Fox also currently operates in 🇹🇼 Taiwan, 🇮🇳 India, 🇮🇩 Indonesia, 🇦🇺 Australia, the 🇬🇧 United Kingdom, and 🇧🇷 Brazil. IoCs available in our GitHub repo: github.com/eset/malware-i… 8/8

Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. Once deployed, it enables the actor to take remote control of the machine and harvest sensitive information. ESET products detect this malware as Win64/Valley. 7/8

#ESETresearch has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in 🇯🇵 Japan, a period when companies generate a high volume of legitimate financial and HRrelated communications. welivesecurity.com/en/business-se… 1/8

IoCs: Interlock RAT CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F Interlock RAT C&Cs: 172.86.68[.]64 23.227.203[.]123 77.42.75[.]119 NodeSnake C&Cs: deserve-coordinated-fairy-tier.trycloudflare[.]com survey-tennessee-blind-corners.trycloudflare[.]com dvd-diagnostic-oakland-signals.trycloudflare[.]com practitioners-ons-boom-utc.trycloudflare[.]com donnellykilbakk[.]cc PowerShell SystemBC C&C: 91.99.97[.]247 ConnectWise C&C: partyglacierhip[.]top 7/7

Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task. 6/7

#ESETresearch detected a recent intrusion at a 🇵🇱University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. eset.com/pl/about/newsr… 1/7

In cybersecurity, labels can distract from what really matters. At #RSAC2026, #ESETresearch’s Robert Lipovský will break down recent campaigns linked to state-sponsored actors and explore how hybrid threat tactics are evolving. The session focuses on practical defender takeaways - understanding behaviors, improving detection, and strengthening preparedness.

#ESETresearch is hiring! Passionate about geopolitics, cyberespionage and cyber threat intelligence? We have a new opening for a strategic threat intelligence analyst at our Montréal office. Come join the team! eset.wd3.myworkdayjobs.com/ESET_External/…

IoCs are available in our GitHub repo: github.com/eset/malware-i… 6/6

Based on these findings and the difficulties of driver blocking, we emphasize a prevention-first approach to defense that focuses on stopping the user-mode component of the EDR killer before any vulnerable driver is loaded, rather than relying solely on kernel-level blocking. 5/6

#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse. welivesecurity.com/en/eset-resear… 1/6