Silver Fox, a China-based threat actor that may or may not be backed by the Chinese government, has been delivering the ValleyRAT backdoor to unsuspecting users by disguising the malware as legitimate healthcare app (the Philips DICOM viewer), a Windows text editor (EmEditor), and system drivers and utilities.
The ValleyRAT malware
How the malware gets served to users is unknown. In previous attacks attributed to Silver Fox, the group has used SEO poisoning and / or phishing to get users to install their ValleyRAT (aka Winos 4.0) malware.
After analyzing over two dozen samples of the initial malicious executable, which were collected between July 2024 and January 2025, Forescout researchers have ascertained that it acts as a first-stage loader that grabs further payloads from an AliBaba cloud bucket, executes them and ensures their persistence.
The second stage payloads are in charge of killing antivirus solutions and loading the third stage: the actual ValleyRat trojan/backdoor and loader module, which eventually also drops a persistent cryptominer and a keylogger.
The malware’s execution flow (Source: Forescout)
Who are the targets?
Philips DICOM viewer is software for viewing medical images, and it’s used by health professionals and patients. EmEditor is a text/code/CVS editor that can work with very large files, and it’s used by editors, programmers, server administrators and DFIR specialists (e.g., for analyzing large log files), and others.
Whether Silver Fox is aiming to compromise organizations in specific sectors (e.g., healthcare, IT) is hard to tell – they might just be attempting to spread their malware far and wide, and later decide whether they will use the access and compromised information for deeper intrusions, or will be satisfied with the covert cryptominer doing its job.
“Silver Fox, also known as Void Arachne and The Great Thief of Valley, is an APT that has historically targeted Chinese-speaking victims and has been highly active since 2024,” the researchers noted.
But, over the past year, they’ve also started focusing on a broader range of targets, including gamers; e-commerce, finance, sales, accounting, and management professionals / enterprises; and national institutions and security companies.
“The new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors,” they added.
“While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant. In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.”
Healthcare organizations should avoid downloading software or files from untrusted sources (including patient devices), implement strict network segmentation, protect endpoint with security software, and monitor network traffic and endpoint telemetry to detect suspcious anomalies and known indicators of compromise.
In related news, ransomware operators have recently exploited vulnerabilities in the SimpleHelp remote monitoring and management solution used by Intelerad, a provider of a platform that healthcare organizations use to upload, store and exchange diagnostic imaging, to breach healthcare organizations.