From ValleyRAT to Silver Fox: How Graph-Based Threat Intel is Changing the Game
Podcasts

From ValleyRAT to Silver Fox: How Graph-Based Threat Intel is Changing the Game

03/26/2025
iTunes SoundCloud Spotify RSS

In this episode of Breaking Badness, host Kali Fencl welcomes Wes Young of CSIRT Gadgets and Daniel Schwalbe, CISO at DomainTools, to unpack the evolution of threat intelligence from early higher-ed days of wiki-scraped snort rules to today’s graph-powered AI analysis. Wes shares the origin story behind his platform AlphaHunt, how it’s being used to automate and enhance threat detection, and why community sharing remains essential even in an era of advanced tooling.

They also dive into a recent DomainTools Investigations (DTI) analysis involving ValleyRAT and Silver Fox, and how new tools enable a faster, more accessible analysis for junior and seasoned analysts alike. Whether you’re a threat intel veteran or an aspiring analyst, this episode is packed with hard-earned lessons, technical insights, and future-forward thinking.

Back in the Day: When Threat Intel Started with a Wiki

Both Wes Young and Daniel Schwalbe began their careers in university security teams, where they had to build detection mechanisms under tight constraints and often, without firewalls capable of handling high-speed academic networks.

“I think the first information sharing thing we did, but then the run was we had a wiki page with phishing URLs.And I thought, hey, I know Perl, we could just pull these, scrape the wiki page, turn them into snort IDS rules, and shove them in the censors” – Wes Young

This spirit of collaboration laid the foundation for the work both would go on to do in graph-based intelligence and automation.

From IOCs to Intelligence Graphs: Why Context is King

One major theme of the conversation is the shift from simply collecting indicators of compromise (IOCs) to making sense of relationships between threat actors, TTPs (tactics, techniques, and procedures), and victims.

“It’s one thing to have an IP address on one side. It’s another to see a threat actor on the other…. The only way to do that is with a graph.” – Wes Young

This is where Vertex Synapse and other graph-driven systems come in. These tools allow
analysts to connect large datasets in ways that help them prioritize real threats by identifying which actors are relevant to their sector, region, or infrastructure.

Learn more about Vertex Synapse: https://vertex.link

Introducing AlphaHunt: Speeding Up Analyst Workflow with AI Agents

Wes built AlphaHunt, an AI-driven research assistant, to read threat reports, extract relevant data, and automatically map it to a threat graph. When a DomainTools DTI report came out about Chinese-language lures delivering ValleyRAT, AlphaHunt analyzed it in minutes.

“This whole report took 10 minutes to write… within 15–20 minutes, you have an
executive sort of style report that allows you to answer those questions.And all of that information is now in your intelligence graph..” – Wes Young

While many in security remain skeptical of AI however the key is in how you structure the AI’s role as a set of specialized agents working together, each with a domain-specific task (e.g.parsing malware, reviewing TTPs, Googling malware families).

Try AlphaHunt: https://alphahunt.io

The Silver Fox and ValleyRAT Report: A Case Study in Community Analysis

The DTI report that sparked the conversation covered a malware campaign targeting native Chinese speakers using lures to deliver remote access trojans like ValleyRAT and GhostRAT, with mentions of Silver Fox as a potentially involved actor.

“It comes back with Silver Fox. My God, I have to go read all of the content because there’s something wrong here. Either I’m wrong or Daniel’s wrong, and I’m guessing I’m wrong.” – Wes Young

Even AI-enhanced workflows need human judgment. The goal isn’t replacing analysts, it’s making them faster, more accurate, and able to focus on strategy rather than parsing PDFs.

Read the full DTI report

Analyst Training: Solving the Junior Talent Bottleneck

One of the biggest challenges in the field is getting junior analysts up to speed quickly, without draining principal analyst time.

“First of all, in government higher ed, nobody wants to work in the first place. And then you got to train them. And as soon as you give them a little bit of training, they go out in the private industry and double their money. And then you start all over again.” – Daniel Schwalbe

Tools like AlphaHunt can help bridge the gap between junior and senior analysts by simulating thought processes, recommending pivots, and capturing historical knowledge in the graph.

Shoutout to the Vertex Synapse YouTube channel for training:
https://www.youtube.com/@vertexproject

Sharing Beyond the Feed: Building a Real-Time Intelligence Network

While MISP, STIX/TAXII, and other formats have improved structured sharing, real-time
collaboration between organizations is still limited. Wes proposes a future where AI-powered agents continuously enrich local graphs with external knowledge. This vision could dramatically reduce duplication, accelerate discovery, and help analysts avoid starting from scratch.

What You Can Do Now: Raising the Cost for Adversaries

Despite all the tech, some takeaways are timeless: collaboration matters, good tooling matters, and simple mitigations go a long way.

“There’s always going to be bad guys, there’s always going to be good guys, but for a finite game, if you can raise, send them back to the drawing board for another two years, if you can raise the cost of their involvement, you can at least get them off your back for a while, and that’s the best you can hope for, sadly enough, but again, in an infinite game, It’s just not going to happen.” – Wes Young

Organizations should focus on fundamentals like FIDO2 authentication, phishing-resistant MFA, and basic segmentation, all of which neutralize huge swaths of threat actors.

Threat Intelligence Is a Team Sport

Build relationships, share your insights, and invest in training because solving cyber threats isn’t a solo mission

“But the good news is there’s a bunch of stubborn bastards like you and I, who are just not going to give up, if it takes another 20 years. Hopefully we’ll have made a difference, right? ” – Daniel Schwalbe

Resources Mentioned

Watch on YouTube

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

Related Content

Five people are shown in black and white at the bottom of a blue gradient background. Text reads "DFIRSIDE CHAT: PART 2," highlighting a DFIR discussion. The top right corner features the "Breaking Badness Podcast" logo.
Podcasts

DFIR Foundations: Real-World Lessons in Containment, Eradication, and Recovery

Listen Now
Five smiling people are shown in black and white below the text “DFIRSide Chat: Part 1” on a blue gradient background. In the top right, the “Breaking Badness Podcast” logo appears, hinting at a discussion on Russian disinformation.
Podcasts

DFIRside Chat: Lessons from the Frontlines of Incident Response

Listen Now
Podcast cover art titled "Liar, Liar, Domain on Fire" showcases a DNS Masterclass theme. It features three people: one with long hair and glasses, another in a furry hat, and one with short hair. The "Breaking Badness Podcast" logo graces the top right corner.
Podcasts

How Russian Disinformation Campaigns Exploit Domain Registrars and AI

Listen Now
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap