Silver Fox APT Targets Public Sector via Trojanized Medical Software

Silver Fox (also known as Void Arachne or The Great Thief of Valley) is a China-based advanced persistent threat group active since 2024. It is believed to be state-sponsored and is known for conducting cyber espionage, data theft, and, in some cases, financially motivated intrusions.

The group targets both individual users and organizations across healthcare, government, and critical infrastructure sectors. Its campaigns often involve a custom remote access trojan called Winos 4.0 (also known as ValleyRAT), which is derived from the legacy Gh0st RAT malware family.

This post analyzes a confirmed multi-stage campaign by Silver Fox APT that uses trojanized medical software and cloud infrastructure to deploy remote access tools, disable AV, and exfiltrate data from healthcare and public sector targets.

Silver Fox APT: Overview and Key Findings

• Target Sector: Healthcare delivery organizations (HDOs)

• Initial Vector: SEO poisoning or phishing, weaponized legitimate software, installers for Chrome and AI tools

• Trojanized Binary: MediaViewerLauncher.exe (Philips DICOM Viewer - confirmed case)

• Cloud Infrastructure: Alibaba OSS (Object Storage Service)

• C2 Infrastructure: 8.217.60[.]40:8917 (defunct)

• Toolset: ValleyRAT, TrueSightKiller driver, PowerShell exclusions, keylogger, crypto miner

Stage 1: DICOM Viewer Dropper and Downloader

Initial Execution and Delivery

Spear-Phishing Lures

One confirmed Silver Fox APT campaign impersonated Taiwan’s National Taxation Bureau, distributing ZIP files containing a malicious DLL (lastbld2Base.dll) [1]. 

When executed, the DLL launched shellcode to download Winos 4.0 (ValleyRAT) from a remote server. The lure was disguised as an official government document and enabled unauthorized access to Taiwanese government and industrial systems.

In another confirmed attack campaign, dubbed “Operation Holding Hands”, the group targeted organizations in Japan and Taiwan using digitally-signed fake salary notices. These payloads, signed with stolen certificates, unpacked COM-based loaders and deployed Winos 4.0 in memory to establish persistent remote access.

Backdoored Software Installers

Silver Fox has distributed backdoored installers for popular applications including Chrome, VPN clients (LetsVPN, QuickVPN), and AI tools like deepfake generators and voice changers [2]. These malicious installers delivered the Winos backdoor silently while installing the legitimate app. The group drove traffic to these payloads using SEO poisoning, malicious ads, and Telegram channels. The tactic exploited user demand for tools to bypass censorship or use trending AI software.

Trojanized Legitimate Applications

Silver Fox APT has also leveraged weaponized versions of legitimate software as an entry point for infection. These include trusted tools such as Philips DICOM medical viewers, EmEditor, and system driver utilities, applications typically used by healthcare professionals or IT administrators.

In one confirmed case, a trojanized MediaViewerLauncher.exe mimicked the Philips DICOM viewer. It functioned as a first-stage loader, launching the malware chain.

So, in this blog, we are going to explain this flow.

Network Contact: Alibaba Cloud Bucket

After execution of MediaViewerLauncher.exe, the malware contacts an Alibaba Cloud Object Storage (OSS) bucket, which serves as the attacker-controlled payload repository. 

The first file retrieved is i.dat, a configuration file containing encrypted metadata, including:

• URLs to fetch second-stage components
• Encrypted filenames used to disguise malicious content

Based on the information in i.dat, the dropper downloads multiple payloads disguised as benign image or data files.

• a.gif, b.gif, c.gif, d.gif
• s.jpeg
• s.dat

While seemingly harmless, these files contain encrypted binaries and shellcode that serve as building blocks for later stages.

System Reconnaissance and Evasion

As part of its preparatory actions, the malware runs a series of native Windows utilities to assess system properties and test for external network connectivity, which is required to reach its C2 infrastructure. 

Tools observed include:

These commands allow the malware to verify internet access and gather basic system information.

To reduce the chance of being detected by antivirus tools, the malware also issues PowerShell commands that configure Windows Defender exclusion rules for specific directories frequently used to stage payloads. Two sets of exclusions have been observed:

These exclusions help the malware operate stealthily by preventing Defender from scanning key directories where additional payloads are written or executed.

Load and Persist Second Stage

Once all second-stage components are downloaded and decrypted, the malware sets up Windows Task Scheduler entries to ensure automatic execution of the second stage. These tasks are configured to:

• Launch the second stage immediately
• Re-execute at every user login

This guarantees persistence across reboots and allows the malware to continue operations without requiring manual reactivation.

Stage 2: AV Kill and Loader Preparation

After the first stage exits, the second-stage malware begins execution, focusing on disabling endpoint defenses and preparing the host for full compromise.

Malicious Loader and Evasion Techniques

The shellcode previously retrieved from s.jpeg is executed in memory, where it loads essential functions (GetProcAddress, VirtualAlloc, RtlMoveMemory, etc.) and uses these to unpack a malicious DLL for task scheduling. 

It then loads RPC libraries (RPCRT4.dll) to initiate a named pipe binding via \\.\pipe\atsvc, enabling remote procedure call (RPC)-based task creation.

This task runs TO7RUF.exe, a renamed version of the Cyren AV executable (vseamps.exe), on a scheduled basis, immediately and at every user login. This ensures persistence of the loader component.

To evade detection and analysis, the malware employs several techniques:

• API hashing and indirect resolution to obfuscate function calls.

• Thread notification suppression (DisableThreadLibraryCalls) to complicate debugging.

• Bypassing static AV monitoring by using signed binaries and RPC-based scheduling.

Security Software Enumeration and Disabling

Upon execution, the loader references MsMpList.dat to enumerate running security processes. It loads and runs vselog.dll, then decrypts auxiliary files (WordPadFilter.db, MsMpList.dat) into memory using WriteProcessMemory.

If security products like Windows Defender (MsMpEng.exe) or NIS (NisSrv.exe) are found, the malware leverages a BYOVD (Bring Your Own Vulnerable Driver) approach:

• It loads 189atohci.sys (TrueSightKiller) to gain privileged access.
• Using DeviceIoControl with IOCTL 0x22e044, it forcibly terminates AV/EDR processes, effectively disabling monitoring and allowing silent operation.

Stage 3: ValleyRAT Deployment and Payload Expansion

In the final stage of the attack, the malware establishes long-term control over the infected system. It does this by deploying a backdoor called ValleyRAT, which allows the attackers to maintain remote access. Once active, ValleyRAT ensures it stays on the system by creating scheduled tasks that relaunch it automatically, even after a reboot.

But the attackers don’t stop there. Alongside the backdoor, they also deliver two additional components:

• A keylogger, which silently records everything the user types, potentially capturing login credentials, sensitive data, or private communications.

• A cryptocurrency miner, which secretly uses the victim’s system resources to mine digital currency for the attackers, often causing performance issues.

All three components, the backdoor, keylogger, and miner, are designed to persist and operate without user awareness. The backdoor connects to a remote server for further instructions, while the other two components work in the background, maximizing the attacker’s long-term control and profit from the compromised system.

Defensive Strategies and Recommendations for Organizations

To defend against Silver Fox APT, organizations should prioritize endpoint visibility and control. Deploy EDR/XDR tools capable of detecting memory-based execution, PowerShell abuse, and unauthorized task creation. Block known vulnerable drivers and enable PowerShell logging to catch evasion techniques early.

Restrict software installations using application control and allowlisting. Only permit trusted apps from verified sources. Strengthen email and web security by filtering attachments, blocking malicious domains, and inspecting downloads from cloud services like Alibaba OSS.

Monitor for behavioral signs such as unusual scheduled tasks, traffic to unfamiliar IPs, and file changes in commonly excluded directories like C:\ProgramData or C:\Users\Public.

Segment networks to isolate critical assets from general endpoints. Apply least privilege principles and disable unnecessary remote protocols to limit lateral movement.

Ensure incident readiness with centralized logging, memory capture capability, and response playbooks tailored to multi-stage and memory-resident threats.

Stay updated through threat intelligence feeds and test control effectiveness regularly. The Picus Security Validation Platform can simulate Silver Fox APT behaviors through both network infiltration and email infiltration attack scenarios, enabling organizations to identify detection gaps and improve their defensive posture proactively.

How Picus Helps Defend Against Silver Fox APT Attacks?

The Picus Security Validation Platform helps by safely simulating Silver Fox APT’s techniques, such as loading trojanized binaries, disabling AV processes via vulnerable drivers, executing fileless shellcode in memory, and exfiltrating data through HTTPS, using its continuously updated Threat Library. These simulations uncover blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them.

The Picus Threat Library includes the Silver Fox APT threat, emulating and simulating real-world tactics, techniques, and procedures (TTPs) to support continuous security control validation, helping organizations measure readiness, reduce exposure, and strengthen defenses against sophisticated threats.

Reference

[1] The Hacker News, “Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations,” The Hacker News, Feb. 27, 2025. Available: https://thehackernews.com/2025/02/silver-fox-apt-uses-winos-40-malware-in.html. [Accessed: Jun. 16, 2025]

[2] “Threat Group Cards: A Threat Actor Encyclopedia.” Available: https://apt.etda.or.th/cgi-bin/showcard.cgi. [Accessed: Jun. 16, 2025]