Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Catena

Catena is a multi-stage, memory-resident loader observed in phishing-led intrusion chains attributed to the China-based Silver Fox threat group. In the reported campaigns, Silver Fox gained initial access through phishing emails using fake tax audit notices and counterfeit software update alerts, then deployed malware including ValleyRAT, AtlasCross RAT, and the Catena loader. The infection chain included disguised shortcut files and malicious Office documents with hidden macros, with second-stage payloads delivered from cloud storage infrastructure. Catena is described as shellcode-based, and one observed execution chain used DLL sideloading in which WavesSvc64.exe loaded a malicious DuiLib_u.dll that read encrypted shellcode from box.ini, decrypted it, and executed it in memory; this behavior was assessed as consistent with the Catena loader pattern documented by Rapid7. The broader Silver Fox activity targeted businesses and individuals across Asia, including Taiwan, Japan, and Southeast Asia, and expanded to medical institutions, financial companies, and corporate environments. Catena was used alongside other tooling to establish persistence, communicate with remote servers, and support movement within compromised networks. High-confidence related artifacts from the observed Catena-style chain include WavesSvc64.exe, DuiLib_u.dll, encrypted shellcode container box.ini, and the scheduled task Batteries.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Silver Fox

After gaining initial entry through phishing, the attackers deploy a range of malware tools including ValleyRAT, AtlasCross RAT, and the Catena loader.

via cyber security newscybersecuritynews.com
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cyber security newsNews
Apr 28, 2026
New Silver Fox Campaign Uses Fake Tax Audit Alerts and Software Updates to Deliver Malware - Cyber Security News

A loader used by Silver Fox as part of the post-phishing infection chain to deliver and support additional malware used for persistence and network compromise.

Read more
malwarebytesNews
Feb 23, 2026
Fake Huorong security site infects users with ValleyRAT | Malwarebytes

Loader pattern where legitimate-looking executables bundle encrypted attack code in configuration files (e.g., .ini) and use reflective/in-memory execution to reduce forensic footprint; referenced here as matching the observed ValleyRAT delivery chain.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Memory-resident multi-stage loader used to stage delivery of Winos 4.0 via fake installers.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.