Found bird malware per Foxveil, active Discord network, etc.

Found malware, birds per Foxveil, running Discord, Cloudflare, and Netlify networks to release Payload.

Resonant malware, or Loader, has become a popular intermediary tool for smuggling into victims' systems to release more serious malware due to its ability to evade detection in a variety of ways, and this is a new one-on-one malware detection that computer users need to be vigilant about again.

According to a report by the website, SC World, a research team from Cato CTRL, a subsidiary that specializes in cybersecurity monitoring of the company Cato Network, revealed the detection of a new one-on-one malware called Foxveil. An interesting ability is that the malware will use a highly reliable network like Cloudflare or Netify to extract payload files from Discord's system, a popular chat system where the files are temporarily deposited on the network. In addition, the malware has a variety of other capabilities, such as system evasion. Detect, the string mutation system by scanning for "high-signal" strings such as "payload," "inject," "shellcode," "beacon," "http: / /, and" .exe "and changing these random string values created by the malware, and the In-Memory Execution Payload system, in which all versions of this malware launch the payload into SysWOW64.

In addition to the co-capabilities of this malware, other versions of malware have different unique capabilities, e.g.

Foxveil v1

There is a process forgery feature of the malware as svchost.exe, and then launch its own payload into this disguised process with an Asynchronous Procedure Call (APC) code launch during the process. The target is in a state of temporary stasis (Suspended State), making it difficult to detect. In addition, it creates persistence on the system by registering itself as a Windows service for smoothness.

Foxveil v2

There is a different function: instead of creating a fake process, the malware uses a way to shoot itself into the real process. In addition, the malware has the ability to change the configuration of cyber protection tools like Microsoft Defender. But due to some mistakes in developing this version of the malware, the research team found that the malware instead added an Exclusion to SysWOW64, which is the target of firing Payload, the malware went down, and removed it from the exception. This could result in payload failure because it was detected.

For the last payload that was a real malware, the research team suspected that it might be a Cobalt Strike malware because localhost's listening behavior was detected on ports 9933 and 9934, as well as a string like "Beacon" was added to the list for String Mutation.

The current progress of the malware has been made. After the malware outbreak since August 2025, the malware-related URLs were removed from Netify's system during January 19 and followed by a limited access to the same URLs by Cloudflare on January 20. While the links on Discord are only 24 hours old, the research team has confirmed that all related Discord links are currently inaccessible.

# Trending # Lemon 8 Howtoo # Malware # lemon 8 diary # freedomhack