Silver Fox APT Uses Weaponized Medical Software to Deploy Remote Access Tools and Disable AV

The China-based advanced persistent threat (APT) group Silver Fox, also known as Void Arachne or The Great Thief of Valley, has been identified as the orchestrator of a complex multi-stage campaign targeting healthcare delivery organizations (HDOs) and public sector entities.

Active since 2024 and believed to be state-sponsored, Silver Fox is deploying cyber espionage and data theft operations using trojanized medical software and cloud infrastructure, with a custom remote access trojan (RAT) dubbed Winos 4.0 or ValleyRAT at the core of its attacks.

Multi-Stage Cyber Espionage Campaign

The attack chain begins with initial infection vectors like SEO poisoning, phishing, and backdoored installers for legitimate applications such as Chrome, VPN clients, and AI tools.

A notable case involves a trojanized version of the Philips DICOM Viewer, disguised as MediaViewerLauncher.exe, which acts as a first-stage dropper.

Once executed, the malware contacts an Alibaba Cloud Object Storage Service (OSS) bucket to retrieve encrypted configuration files and payloads masked as benign image files (e.g., a.gif, s.jpeg).

According to Picus Security Report, these files contain components like the TrueSightKiller driver (189atohci.sys) and shellcode that pave the way for subsequent stages.

Parallel processes run native Windows commands (cmd.exe, ping.exe) for system reconnaissance and use PowerShell to add Windows Defender exclusions for paths like C:ProgramData, ensuring undetected operations.

Weaponized Software and Cloud Infrastructure

In the second stage, Silver Fox focuses on loader preparation and antivirus (AV) evasion. Shellcode from downloaded files executes in memory, unpacks malicious DLLs, and schedules tasks via RPC libraries for persistence.

If security software like Windows Defender is detected, the TrueSightKiller driver exploits vulnerabilities to terminate AV processes using DeviceIoControl with specific IOCTL calls.

The final stage deploys ValleyRAT, establishing a persistent backdoor for remote access, alongside a keylogger and cryptominer, all configured to relaunch via scheduled tasks.

Communication with a defunct command-and-control (C2) server at 8.217.60.40:8917 underscores the group’s intent to maintain long-term control over compromised systems.

Confirmed campaigns reveal Silver Fox’s global reach, with attacks like “Operation Holding Hands” targeting Japan and Taiwan using digitally signed fake salary notices, and phishing lures impersonating Taiwan’s National Taxation Bureau.

These tactics exploit trust in legitimate entities, delivering Winos 4.0 to infiltrate government and industrial systems.

The group’s use of stolen certificates and SEO poisoning to distribute malicious installers further amplifies the threat, preying on user demand for popular software.

Organizations are urged to enhance endpoint visibility with EDR/XDR tools, enable PowerShell logging, and restrict software installations to trusted sources.

Network segmentation, least privilege access, and behavioral monitoring for unusual scheduled tasks or traffic to unfamiliar IPs are critical defenses against this stealthy adversary.

Silver Fox APT’s blend of technical sophistication and social engineering marks it as a formidable threat to critical infrastructure worldwide.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates