Threat Management, Threat Intelligence, Ransomware, Malware

Foxveil malware loader abuses Discord, Cloudflare, Netlify for staging

A novel malware loader dubbed "Foxveil" abuses the legitimate platforms Discord, Cloudflare and Netlify for payload staging, Cato Networks reported Wednesday.  

Foxveil, which Cato CTRL believes has been active since August 2025, retrieves Donut-generated shellcode hosted on legitimate platforms in order to blend in with normal traffic, and leverages other techniques for evasion, including in-memory execution and a unique string-mutation mechanism.

There are two variants of Foxveil, one that retrieves payloads from Cloudflare and Netlify and another that retrieves them from short-lived Discord attachments.

After retrieving the payloads, Foxveil v1 spawns a new process impersonating svchost.exe and injects the malicious code into this process via an Early Bird Asynchronous Procedure Call (APC).

In this technique, the APC injection is queued while the target process is in a suspended state and before it fully resumes, making the injection more difficult to detect, Cato CTRL explains.


Related reading:


Foxveil v2 instead performs a self-injection into the original process. For persistence, Foxveil v1 registers itself as a Windows service, and both versions drop next-stage payloads into SysWOW64.

Foxveil v2 was noted to attempt to manipulate Microsoft Defender configurations, however, possibly due to an error by the attacker, it removes an exclusion for the SysWOW64 path instead of adding one.

As an additional analysis evasion technique, Foxveil employs a novel string mutation mechanism that scans for “high-signal” strings such as “payload,” “inject,” “shellcode,” “beacon,” “http://, and “.exe” and replaces them with randomly generated values at runtime.

Cato CTRL assessed that Cobalt Strike may be used as a later-stage payload based on evidence including localhost listening behavior on ports 9933 and 9934 and the inclusion of related terms like “beacon” in the list of words targeted for string mutation.

Cato reported the attacker’s infrastructure to Cloudflare and Netlify; Netlify confirmed the removal of the attacker’s Netlify-hosted URLs on Jan. 19, 2026, and Cloudflare said on Jan. 20, 2026, that it restricted access to the reported URLs and forwarded the abuse report to the website owner.

As Discord attachment links only remain accessible for about 24 hours, Cato found that all of the links observed in the investigated Foxveil attacks were already no longer active.

Cato CTRL noted that Foxveil’s use of trusted platforms for payload staging and anti-analysis measures such as string mutation means defenders should turn to behavior-based methods that look for “unusual process execution chains, staged downloads followed by shellcode injection, and suspicious writes into system directories” to detect such attacks.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds