Back to Intelligence

APT28 PRISMEX, MuddyWater DinDoor, & Silver Fox ValleyRAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 28, 2026
6 min read

Recent OTX pulses highlight a convergence of state-sponsored and cyber-criminal operations exploiting regional tensions and seasonal business processes. APT28 (Pawn Storm) is actively deploying the PRISMEX malware suite against Ukrainian and Eastern European government/defense entities, exploiting two zero-days (CVE-2026-21509, CVE-2026-21513). Simultaneously, MuddyWater targets the finance sector with DinDoor, a Deno-based backdoor delivered via MSI installers that abuses the Deno runtime to execute obfuscated JavaScript. In the Asia-Pacific region, Silver Fox (Void Arachne) is targeting Japanese manufacturing firms with ValleyRAT, leveraging tax season and HR change spearphishing lures to establish remote control.

Threat Actor / Malware Profile

APT28 / PRISMEX

  • Distribution: Exploitation of recently disclosed CVEs in edge infrastructure.
  • Behavior: Modular payload (Dropper, Stager, Loader). Uses advanced steganography to hide payload components within image files.
  • Persistence: COM Hijacking via modifying registry keys for legitimate system binaries.
  • C2: Cloud service abuse (specifically filen.io hostnames) to evade IP-based reputation filtering.

MuddyWater / DinDoor

  • Distribution: Malicious MSI files often dropped via initial access vectors.
  • Behavior: Abuses the Deno JavaScript/TypeScript runtime. Some variants write JS to disk; others run entirely in memory. Generates unique victim IDs via specific fingerprinting algorithms.
  • C2: HTTP/HTTPS communications using Caddy proxy servers to route traffic, often utilizing Dynamic DNS (duckdns).

Silver Fox / ValleyRAT

  • Distribution: Spearphishing emails with tax/HR themes (Excel/Word attachments).
  • Behavior: Remote Access Trojan (RAT) capabilities, used for credential theft and lateral movement.
  • Persistence: Scheduled tasks and registry run keys.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators:

  • Hostnames/Domains: Includes *.filen.io (APT28 cloud abuse) and suspicious TLDs (.cyou, .site) used by MuddyWater. SOC teams should block these at the proxy/DNS level immediately.
  • File Hashes: Multiple SHA256, MD5, and SHA1 hashes for DinDoor and ValleyRAT samples. These should be added to blocklists in EDR solutions.
  • Operationalization: Use the provided KQL and PowerShell scripts to scan endpoints. The DinDoor hashes and PRISMEX hostnames are high-confidence IoCs. Decoding steganography artifacts requires forensics tools, but network detection remains the primary vector for PRISMEX.

Detection Engineering

YAML
---
title: Suspicious Deno Runtime Execution via MSI
id: 6c819b5e-4d1a-4f8e-b8d6-9c3a7b1d2e4f
status: experimental
description: Detects execution of Deno runtime initiated by MSI installers or unusual parent processes, characteristic of DinDoor backdoor deployment.
references:
    - https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis
author: Security Arsenal
date: 2026/04/28
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\deno.exe'
        CommandLine|contains: 'run'
    condition: selection
falsepositives:
    - Legitimate developer usage of Deno
level: high
---
title: APT28 PRISMEX C2 Communication - Filen.io Abuse
id: 8f2e1a9c-3d4b-4012-9c8d-1e2f3a4b5c6d
status: experimental
description: Detects network connections to known PRISMEX C2 infrastructure utilizing filen.io cloud services.
references:
    - https://documents.trendmicro.com/assets/txt/Pawn%20Storm%20Deploys%20PRISMA%20IOCs-xQ48S7H.txt
author: Security Arsenal
date: 2026/04/28
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|endswith:
            - '.filen.io'
            - '.filen-1.net'
            - '.filen-2.net'
            - '.filen-3.net'
            - '.filen-4.net'
            - '.filen-5.net'
    condition: selection
falsepositives:
    - Legitimate use of Filen.io cloud storage (rare in enterprise envs)
level: critical
---
title: Silver Fox ValleyRAT Malicious File Activity
id: 9a3b1c8d-2e4f-5016-7a8b-2c3d4e5f6a7b
status: experimental
description: Detects execution of known ValleyRAT file hashes associated with the Silver Fox campaign targeting Japanese entities.
references:
    - https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
author: Security Arsenal
date: 2026/04/28
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Hashes|contains:
            - '1af5b25acd2df31f44a54fc8dcd85287'
            - '244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db'
            - '55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba'
    condition: selection
falsepositives:
    - None
level: critical


kql
// Hunt for DinDoor and ValleyRAT File Hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5",
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db",
    "8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72",
    "55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba"
) or MD5 in (
    "1af5b25acd2df31f44a54fc8dcd85287",
    "12a0d942652609bce7319be6bf0135bb",
    "21d9a30074d65babfef9e9e9684c6f5a",
    "4f481a449ad050fea9ca3900118e5676",
    "5c057af2f358fc10107d5ccdb39938ad"
)
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, SHA256;

// Hunt for PRISMEX and DinDoor Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "filen.io" 
   or RemoteUrl has "duckdns.org" 
   or RemoteUrl in ("ineracaspsl.site", "serialmenot.com", "justtalken.com", "hngfbgfbfb.cyou")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessAccount, InitiatingProcessFileName;


powershell
# IOC Hunt Script for PRISMEX, DinDoor, and ValleyRAT
# Requires Administrator privileges

Write-Host "[*] Starting IOC Hunt for April 2026 Threats..." -ForegroundColor Cyan

# 1. Check for ValleyRAT and DinDoor File Hashes
$targetHashes = @(
    "1af5b25acd2df31f44a54fc8dcd85287", "12a0d942652609bce7319be6bf0135bb", 
    "21d9a30074d65babfef9e9e9684c6f5a", "4f481a449ad050fea9ca3900118e5676", 
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db", 
    "55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba"
)

Write-Host "[+] Scanning fixed drives for known malicious hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Include *.exe, *.dll, *.msi, *.bin, *.js -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
        if ($targetHashes -contains $hash) {
            Write-Host "[ALERT] Malicious file found: $($_.FullName) (MD5: $hash)" -ForegroundColor Red
        }
    }

# 2. Check for Suspicious Network Connections (DNS Cache for Filen.io)
Write-Host "[+] Checking DNS Cache for PRISMEX C2 indicators..." -ForegroundColor Yellow
$suspiciousDomains = @("filen.io", "filen-1.net", "filen-2.net", "filen-3.net", "filen-4.net", "filen-5.net")
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $suspiciousDomains) {
    $matches = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($matches) {
        Write-Host "[ALERT] Suspicious DNS entry found for: $domain" -ForegroundColor Red
        $matches | Format-Table Entry, Data, TimeToLive
    }
}

# 3. Check for COM Hijacking Persistence (Common in PRISMEX)
Write-Host "[+] Checking for potential COM Hijacking in InprocServer32..." -ForegroundColor Yellow
$paths = @("HKLM:\Software\Classes\CLSID\*\InprocServer32", "HKCU:\Software\Classes\CLSID\*\InprocServer32")
# Note: This is a rudimentary check; full analysis requires comparing against known defaults.
Write-Host "[i] Manual review of registry hive recommended for COM Hijacking confirmation."

Write-Host "[*] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate (0-4h):
    • Block all listed filen.io, duckdns.org, and suspicious .cyou domains at the firewall and proxy level.
    • Quarantine endpoints matching the provided MD5/SHA256 hashes for ValleyRAT and DinDoor.
    • Patch CVE-2026-21509 and CVE-2026-21513 immediately on external-facing infrastructure.
  • 24 Hours:
    • Hunt for COM hijacking persistence mechanisms on servers in the Government/Defense sectors affected by PRISMEX.
    • Review logs for Deno runtime execution (unusual for most enterprise endpoints) to identify potential DinDoor infections.
  • 1 Week:
    • Implement Email Gateway rules to filter keywords related to "Tax Season", "Salary Adjustment", and "Organizational Change" for regions targeted by Silver Fox (Japan).
    • Conduct a review of cloud storage permissions to prevent abuse similar to the filen.io C2 technique.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareprismexdindoorvalleyratapt28muddywater

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action