A new malware loader called “Foxveil” has been discovered actively targeting systems through legitimate cloud platforms, raising concerns about how threat actors are weaponizing trusted services to bypass security measures.
The malware has been operational since August 2025 and has since evolved significantly.
It now exists in two distinct variants, each using sophisticated techniques to establish persistence and deploy secondary payloads.
Security researchers at CATO CTRL identified this previously undocumented loader during routine threat hunting operations, tracking its activity across multiple compromised systems.
The malware derives its name from embedded “fox” strings found within the code samples, and represents a concerning shift in how attackers abuse legitimate infrastructure to hide malicious operations.
Foxveil operates by contacting threat actor-controlled staging locations hosted on Cloudflare Pages, Netlify domains, and Discord attachments to retrieve shellcode payloads.
This approach allows the malware to blend seamlessly into regular enterprise network traffic, making detection significantly more challenging for traditional security tools that rely on blocklists.
Once the shellcode is downloaded, Foxveil executes it through injection techniques that vary between the two identified variants.
The first variant uses Early Bird APC injection, spawning a fake svchost.exe process and injecting malicious code before the target thread fully resumes.
The second variant simplifies this process by performing self-injection within the same process context, often retrieving payloads directly from Discord attachments.
.webp)
Both versions establish persistence by either registering themselves as Windows services or dropping additional executables into the SysWOW64 directory with filenames mimicking legitimate system processes like sihost.exe and taskhostw.exe.
After establishing initial access, Foxveil downloads additional executables from Netlify and Cloudflare Pages domains, placing them strategically in system directories to maintain long-term access.
The malware includes a unique string-mutation mechanism that rewrites common analysis keywords such as “payload,” “inject,” “beacon,” and “meterpreter” with randomly generated values, complicating static detection and reverse engineering efforts.
Defense Evasion Through String Mutation
One particularly unusual feature sets Foxveil apart from typical first-stage loaders: its runtime string mutation capability.
The malware contains code that actively scans for high-signal strings commonly used by security analysts and replaces them with random values during execution.
.webp)
This technique specifically targets terms associated with command-and-control frameworks and post-exploitation tools, making it harder for automated security systems to identify the threat through signature-based detection.
Security teams should monitor for unusual process execution chains, staged downloads followed by shellcode injection, and suspicious file writes into system directories like SysWOW64.
Organizations are advised to implement behavior-based detection controls that focus on execution context rather than relying solely on domain reputation or static signatures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
