Researchers at Cato CTRL have discovered "Foxveil," a new malware loader that has been in use since August 2025 and conceals payloads on reputable websites like Discord, Netlify, and Cloudflare Pages This article explores foxveil new malware. . By using sophisticated injection techniques and blending in with regular web traffic, this covert tool avoids detection.

Variants of Foxveil Foxveil functions as an initial loader, retrieving shellcode from sites under the control of the attacker, executing it in memory, and establishing persistence. Two variations with significant variations in staging, injection, and evasion were identified by researchers. Variant 1 uses the Early Bird Asynchronous Procedure Call (APC) technique to inject shellcode, create a phony svchost.exe process, and pull payloads primarily from Cloudflare Pages or Netlify. This technique avoids monitors by queuing the payload before the target thread fully launches.

It continues by dropping next-stage files into C:\Windows\SysWOW64 and registering as a Windows service called AarSvc. Overview of the Foxveil kill chain (versions 1 and 2) (Source: catonetworks) For shellcode, which is frequently produced by the Donut tool, Variant 2 switches to Discord attachments and employs self-injection in the same way. To thwart analysis tools, both variations alter strings such as "fox," "payload," "inject," "shellcode," "meterpreter," "beacon," and URLs.

Additionally, they imitate genuine Windows processes by dropping dubious files into SysWOW64, including sms.exe, sihost.exe, taskhostw.exe, and audiodg.exe. v1 Early Bird APC injection into a phony svchost.exe (Source: catonetworks) Variant 2 may be flawed, but it tries to modify Microsoft Defender through WMI and execute a command to remove exclusions on SysWOW64.

Capability Foxveil v1 Foxveil v2 Injection of Early Bird APC into a phony svchost.exe Cloudflare/Netlify primary staging attachment for Discord Self-injection Persistence Registers as AarSvc service, then switches to SysWOW64 Drops to SysWOW64 Mutation of the Evasion String Defender tweak + string mutation after exploitation A suspected cobalt strike Strike of Cobalt Evasion and Defenses Because Cloudflare, Netlify, and Discord show up as normal in traffic logs, attackers prefer them for staging because it makes rotation easier without requiring the ownership of risky domains. Initially, Foxveil runs a malicious EXE or DLL, retrieves shellcode, inserts it, and then launches more payloads. Donut shellcode (source: catonetworks) was obtained through a Discord attachment.

While string swaps conceal hints from static scans, memory execution leaves few disk traces.

Later phases, such as beacon-related strings and localhost ports like 9933 or 9934, allude to the use of Cobalt Strike. Defenders have to keep an eye out for odd process chains, SysWOW64 writes, and Defender modifications, among other behaviors across domains. The websites were reported by Cato; on January 19, 2026, Netlify removed the URLs, and on January 20, Cloudflare placed restrictions on them.

Discord links quickly expired. Cato's SASE platform uses network checks to block it early. Details of IOC Type AarSvc Name of Service v1 persistence mechanism C:\Windows\SysWOW64\sms.exe, sihost.exe, and so forth. The next stage of File Paths Masqueraded drops WMIC.

ExclusionPath= "C:\Windows\SysWOW64" WMI Command v2 Defender manipulation Ports 9933/9934 should be removed. Network Potential localhost listening Strike of Cobalt Changed strings: beacon, payload, and fox Artifacts of Code Anti-analysis practice According to Cato Networks, foxveil demonstrates how loaders change to utilize legitimate clouds, advocating for full-stack visibility.

Prior to execution, Cato's tools correlate signals to stop chains.