New analysis of a fake Telegram installer uploaded to MalwareBazaar shows Silver Fox expanding its ValleyRAT operations with a fresh delivery chain that hides behind a Chinese-language pack-decoy and an uncommon ZPAQ-based packer.
The MSI is a WiX-built installer (IssueAccentRequest, 4.49 MB) that runs a VBScript custom action as SYSTEM immediately after file extraction, while hiding itself from Add/Remove Programs via ARPSYSTEMCOMPONENT=1.
Once executed, the script extracts three files: a renamed copy of the legitimate zpaqfranz decompression utility, and two encrypted ZPAQ archives that together contain the full Silver Fox toolset.
On April 8, 2026, researchers spotted a malicious MSI named 点击安装中文语言包a.msi (“Click to Install Chinese Language Pack a”) on MalwareBazaar, posing as a Telegram Chinese language pack installer and delivering ValleyRAT plus a kernel-mode rootkit.
PowerShell code merges the archive parts and XOR-decrypts them with a small key (0x38, with every 56th byte treated specially) before handing off to zpaqfranz to unpack the payloads.
Six-Stage Infection Chain
The attackers use a six-stage chain to transition from a benign-looking Telegram installer to a fully persistent ValleyRAT infection with kernel privileges.
- Stage 1–3: The MSI’s VBScript and PowerShell logic reconstruct and decrypt the archives, then invoke zpaqfranz to extract an outer ZPAQ and a password-protected inner archive (password: 1+427aafwqYOGGlOahjE).
- Stage 4: The script queries WMI for Chinese consumer AV processes (ZhuDongFangYu.exe for 360 Safe, QQPCRTP.exe for Tencent PC Manager, HipsDaemon.exe for Huorong) and chooses between a DLL sideloading chain or a direct drop into C:Windows depending on what’s running.
- Stage 5: ValleyRAT launches and contacts its command-and-control server at 118.107.43.65:5040, while a BYOVD rootkit based on the legitimate wnBios driver is loaded to gain raw physical memory access.
- Stage 6: To maintain cover, the installer opens tg://setlanguage?lang=classic-zh-cn, so Telegram really applies the requested language pack, reinforcing the illusion of a normal install.
ZPAQ and ByteDance LOLBins
A notable twist is the use of the signed zpaqfranz v60/v63.2 binary as a LOLBin packer instead of more common tooling like 7-Zip or built-in Windows decompressors.
ZPAQ’s low profile in malware detection signatures makes it attractive for evading rules that specifically watch for 7z.exe or WinRAR-based malware extraction on endpoints.
If 360 or Tencent AV is present, the malware avoids dropping its main payload directly and instead abuses a signed ByteDance elevation service, SodaMusicLauncher.exe, to sideload malicious DLLs (powrprof.dll and wsc.dll).
The binary is signed by Beijing Microlive Vision Technology / Beijing Bytedance Network Technology and runs as AppShellElevationService, giving the attacker code execution in a trusted, allowlisted process that is unlikely to be blocked on Chinese-market systems.
The ValleyRAT payload is a Nim-compiled 64-bit PE with an encrypted configuration string that encodes the campaign tag (mEGLoIEgCfaQ), operator group (“King-New”), kernel driver identifier, persistence directory name, and C2 IP 118.107.43.65.
A second Nim loader, DesignAccent.exe, is installed as a scheduled task and imports HTTP and image-processing modules, suggesting capabilities such as screenshot capture or steganographic C2.
For stealth and defense evasion, Silver Fox again turns to a vulnerable driver: wnBios 1.2.0.0, a legitimate Wincor Nixdorf BIOS access driver that exposes primitives for arbitrary physical memory reads and writes.
Using this driver, the group can turn off kernel security features, interfere with PatchGuard, hide processes, and inject encrypted shellcode from an accompanying eRMqYUTL.sys blob.
The active C2 server, 118.107.43.65, is hosted by CTG Server Ltd in Hong Kong on the 118.107.40.0/21 netblock, a bulletproof hosting range already linked to multiple Silver Fox operations, including fake Teams and Telegram installers distributing ValleyRAT and related tooling.
External scanning shows the custom C2 port 5040 and NetBIOS (139/tcp) exposed, but little else, indicating the host is tightly filtered against passive reconnaissance.
The combination of ValleyRAT, a BYOVD-based rootkit, DLL sideloading, and CTG Server infrastructure lines up cleanly with prior reporting that ties this tradecraft to the Chinese-nexus Silver Fox group, also tracked as Void Arachne and similar aliases.
Previous research has documented the same actor distributing ValleyRAT via trojanized installers for Telegram, Teams, and other Chinese-popular software, often with AV-aware logic tuned to 360 and Tencent products.
Additional high-signal behaviors include MSI packages that use VBScript custom actions (type 7238) to spawn PowerShell, unexpected zpaqfranz.exe executions, creation of the AppShellElevationService pointing to non-standard paths, tg://setlanguage URIs invoked by non-Telegram processes, and any kernel driver load path referencing wnBios 1.2.0.0.
Defenders should block 118.107.43.65 and, where possible, the broader 118.107.40.0/21 CTG Server range, and hunt for suspicious process names such as GjdLUhqZIJJB.exe, SingMusice.exe, and DesignAccent.exe.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
