Xcitium Logo

Silverfox-Related Trojan DLL Leverages CEF Library Spoofing for Phishing-Linked Persistence

  • June 8, 2026
Share with your community:

Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-06-08 08:13:55 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
pfq3l.exe
Type
PE32+ executable (DLL) (console) x86-64, for MS Windows
SHA‑1
e0c76ff64a577a38e0bfa38855c43370dc134c14
MD5
1bd939d2bcc0851348263cd06092686d
First Seen
2026-06-05 16:48:04.727287
Last Analysis
2026-06-05 17:27:52.829053
Dwell Time
39 minutes

Extended Dwell Time Impact

For 39+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.

Timeline

Time (UTC) Event Elapsed
2026-04-07 06:11:03 UTC First VirusTotal submission
2026-06-05 18:58:37 UTC Latest analysis snapshot 59 days, 12 hours, 47 minutes
2026-06-08 08:13:55 UTC Report generation time 62 days, 2 hours, 2 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 70. Detected as malicious: 48. Missed: 22. Coverage: 68.6%.

Detected Vendors

  • Xcitium
  • +47 additional vendors (names not provided)

List includes Xcitium plus an additional 18 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • APEX
  • ClamAV
  • CMC
  • DrWeb
  • google_safebrowsing
  • Gridinsoft
  • huorong
  • Jiangmin
  • Malwarebytes
  • NANO-Antivirus
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VirIT
  • Webroot
  • Xcitium
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (43.37% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 36 43.37%
Process 23 27.71%
File System 16 19.28%
Registry 8 9.64%

MITRE ATT&CK Mapping

  • T1016 – get local IPv4 addresses
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1129 – link function at runtime on Windows
  • T1082 – query environment variable
  • T1083 – get common file path
  • T1497.001 – check for Windows sandbox via dns suffix
  • T1082 – get disk size
  • T1027 – encode data using XOR
  • T1082 – get system information on Windows
  • T1497.001 – check for Windows sandbox via device
  • T1497.001 – check for Windows sandbox via process name
  • T1129 – access PEB ldr_data
  • T1083 – enumerate files on Windows
  • T1033 – get session user name
  • T1087 – get session user name
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1129 – The process tried to load dynamically one or more functions.
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1063 – It Tries to detect injection methods
  • T1218.011 – Runs a DLL by calling functions

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 48 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 7.080387115478516 udp
192.168.56.14 224.0.0.252 51209 5355 7.033342123031616 udp
192.168.56.14 224.0.0.252 53401 5355 7.483146905899048 udp
192.168.56.14 224.0.0.252 55094 5355 9.63099193572998 udp
192.168.56.14 224.0.0.252 55848 5355 7.0372090339660645 udp
192.168.56.14 8.8.4.4 49916 53 101.34549498558044 udp
192.168.56.14 8.8.4.4 50180 53 148.3139350414276 udp
192.168.56.14 8.8.4.4 50710 53 68.73571991920471 udp
192.168.56.14 8.8.4.4 50870 53 317.9394540786743 udp
192.168.56.14 8.8.4.4 50914 53 242.25146007537842 udp
192.168.56.14 8.8.4.4 51262 53 303.5793960094452 udp
192.168.56.14 8.8.4.4 52815 53 10.077786922454834 udp
192.168.56.14 8.8.4.4 53449 53 346.5797870159149 udp
192.168.56.14 8.8.4.4 54579 53 54.37642002105713 udp
192.168.56.14 8.8.4.4 54683 53 195.2831211090088 udp
192.168.56.14 8.8.4.4 55827 53 256.61081409454346 udp
192.168.56.14 8.8.4.4 55914 53 130.0641450881958 udp
192.168.56.14 8.8.4.4 56399 53 177.03252005577087 udp
192.168.56.14 8.8.4.4 57742 53 360.93902611732483 udp
192.168.56.14 8.8.4.4 59068 53 332.1888909339905 udp
192.168.56.14 8.8.4.4 60117 53 83.09540700912476 udp
192.168.56.14 8.8.4.4 60713 53 270.9700679779053 udp
192.168.56.14 8.8.4.4 62022 53 162.67383098602295 udp
192.168.56.14 8.8.4.4 62112 53 39.80092191696167 udp
192.168.56.14 8.8.4.4 62548 53 224.001296043396 udp
192.168.56.14 8.8.4.4 62800 53 289.2199659347534 udp
192.168.56.14 8.8.4.4 63205 53 209.6419141292572 udp
192.168.56.14 8.8.4.4 64753 53 115.70492100715637 udp
192.168.56.14 8.8.4.4 65148 53 25.439093112945557 udp
192.168.56.14 8.8.8.8 49916 53 100.34830403327942 udp
192.168.56.14 8.8.8.8 50180 53 147.31455612182617 udp
192.168.56.14 8.8.8.8 50710 53 67.73711609840393 udp
192.168.56.14 8.8.8.8 50870 53 316.94057393074036 udp
192.168.56.14 8.8.8.8 50914 53 241.25318908691406 udp
192.168.56.14 8.8.8.8 51262 53 302.5803179740906 udp
192.168.56.14 8.8.8.8 52815 53 11.063906908035278 udp
192.168.56.14 8.8.8.8 53449 53 345.5798919200897 udp
192.168.56.14 8.8.8.8 54579 53 53.37817096710205 udp
192.168.56.14 8.8.8.8 54683 53 194.28838801383972 udp
192.168.56.14 8.8.8.8 55827 53 255.6126251220703 udp
192.168.56.14 8.8.8.8 55914 53 129.06566500663757 udp
192.168.56.14 8.8.8.8 56399 53 176.03391408920288 udp
192.168.56.14 8.8.8.8 57742 53 359.93903613090515 udp
192.168.56.14 8.8.8.8 59068 53 331.1928720474243 udp
192.168.56.14 8.8.8.8 60117 53 82.09716010093689 udp
192.168.56.14 8.8.8.8 60713 53 269.9707009792328 udp
192.168.56.14 8.8.8.8 62022 53 161.67520308494568 udp
192.168.56.14 8.8.8.8 62112 53 38.80300998687744 udp
192.168.56.14 8.8.8.8 62548 53 223.00317001342773 udp
192.168.56.14 8.8.8.8 62800 53 288.22158193588257 udp
192.168.56.14 8.8.8.8 63205 53 208.6428611278534 udp
192.168.56.14 8.8.8.8 64753 53 114.70584511756897 udp
192.168.56.14 8.8.8.8 65148 53 24.440648078918457 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

30

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll64.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
Show all (30 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

Like what you see? Share with a friend.