Silver Fox APT: Chinese Threat Actor Deploys Trojanized Medical Software in Stealth Espionage Campaign
Ddos 
A newly surfaced report from Picus has shed light on Silver Fox (a.k.a. Void Arachne or The Great Thief of Valley), a sophisticated China-based advanced persistent threat (APT) group responsible for a multi-stage espionage campaign leveraging backdoored medical software and cloud infrastructure. Believed to be state-sponsored, Silver Fox has actively targeted healthcare organizations and public institutions across Taiwan, Japan, and potentially beyond, since early 2024.
Silver Fox’s primary targets include Healthcare Delivery Organizations (HDOs) and government sectors, using phishing emails, SEO poisoning, and trojanized software installers to infect systems with a stealthy malware toolkit. Among their most alarming tactics: embedding backdoors in legitimate medical software such as Philips DICOM viewers.
“In one confirmed case, a trojanized MediaViewerLauncher.exe mimicked the Philips DICOM viewer. It functioned as a first-stage loader, launching the malware chain,” Picus reports.
These altered binaries download encrypted payloads from Alibaba Cloud storage, bypass antivirus defenses, and execute staged malware—including the Winos 4.0 (ValleyRAT) remote access trojan, based on the infamous Gh0st RAT family.
Silver Fox exploits popular applications—including Chrome, VPN clients, deepfake tools, and voice changers—with backdoored installers. Using phishing or poisoned search results, the group lures victims into downloading these binaries.
Once executed, a file like MediaViewerLauncher.exe reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted config (i.dat), which contains URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg).
These payloads deploy:
- DLL loaders
- Anti-virus evasion logic
- A vulnerable driver (TrueSightKiller) to kill security software
PowerShell exclusions are added to suppress Defender scans:
Once persistence is ensured via Task Scheduler, Silver Fox uses RPC-based task creation and BYOVD (Bring Your Own Vulnerable Driver) techniques to terminate processes like MsMpEng.exe (Windows Defender).
“If security products like Windows Defender… are found, the malware leverages a BYOVD approach… using IOCTL 0x22e044 to forcibly terminate AV/EDR processes,” the report notes.
Signed binaries, thread notification suppression, and encrypted staging all contribute to avoiding detection.
In its final stage, the malware deploys ValleyRAT alongside:
- A keylogger (saves data to C:\xxxx.in)
- A Monero cryptominer (resource hijacking)
“All three components… are designed to persist and operate without user awareness,” Picus warns.
The backdoor establishes contact with a now-defunct C2 at 8.217.60[.]40:8917 and can download further modules from Alibaba OSS, including:
- log.src (keylogger)
- utils.vcxproj (cryptominer)
- tbcore3U.dll (script loader)
Picus emphasizes layered defense strategies for combating Silver Fox:
- Deploy EDR/XDR tools with memory-based threat detection
- Restrict software installations via allowlisting and endpoint controls
- Monitor task scheduling and PowerShell logs
- Harden against BYOVD attacks by blocking known vulnerable drivers
- Inspect cloud storage traffic (especially Alibaba OSS)
“Monitor for behavioral signs such as unusual scheduled tasks, traffic to unfamiliar IPs, and file changes in commonly excluded directories like C:\ProgramData or C:\Users\Public.”
Related Posts:
- Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
- ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
- Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
- A variety of Philips medical device exposure security bugs
- Vulnerabilities in the DICOM Protocol: A Call to Fortify Medical Imaging Security
Donate