A sophisticated cyber campaign orchestrated by the advanced persistent threat (APT) group “Silver Fox,” based in China, has been identified targeting healthcare services in the United States and Canada.
This campaign leverages trojanized versions of Philips DICOM viewers to deploy a series of malicious payloads, including a backdoor, keylogger, and cryptocurrency miner, posing significant risks to healthcare delivery organizations (HDOs).
Evolution of Malware Tactics and Techniques
The Silver Fox group, also known as Void Arachne, has demonstrated a marked evolution in its tactics, techniques, and procedures (TTPs) over the past year.
Initially focused on Chinese-speaking victims, the group has expanded its scope to target critical sectors such as healthcare, finance, and government institutions.
The latest campaign involves 29 malware samples disguised as Philips DICOM viewers software used for viewing medical images submitted to VirusTotal between December 2024 and January 2025.
According to ForeScout Report, these samples deploy ValleyRAT, a remote access tool (RAT), alongside additional payloads that enable data theft and system exploitation.
The malware exhibits advanced evasion techniques, including PowerShell-based defense bypasses and encrypted payload delivery via Alibaba Cloud storage buckets.
Once executed, the malware disables security software using a driver called “TrueSightKiller” and establishes persistence through scheduled tasks.
The final payloads a backdoor for remote control, a keylogger for credential theft, and a crypto miner are delivered in multiple stages to maximize stealth.
Healthcare Sector Remains a Prime Target
Healthcare has been the most targeted critical infrastructure sector for two consecutive years (2023–2024), with attacks ranging from ransomware to direct exploitation of medical applications.
The Silver Fox campaign underscores this trend by exploiting patient-facing applications like DICOM viewers.
While these applications are primarily used by patients to view their medical images, infected devices could introduce malware into hospital networks through scenarios such as hospital-at-home programs or patient device usage within healthcare facilities.
To counter this threat, HDOs are advised to adopt robust cybersecurity measures:
- Restrict Untrusted Software: Avoid downloading or running software from unverified sources.
- Network Segmentation: Isolate untrusted devices or networks (e.g., guest Wi-Fi) from internal systems.
- Endpoint Protection: Ensure all systems are equipped with updated antivirus or endpoint detection solutions.
- Continuous Monitoring: Actively monitor network traffic and endpoint activity for indicators of compromise (IoCs).
- Proactive Threat Hunting: Identify malicious activity aligned with known APT behaviors.
The Silver Fox campaign serves as a stark reminder of the increasing sophistication of cyber threats targeting critical infrastructure sectors like healthcare.
By implementing these mitigation strategies, organizations can reduce their risk exposure and enhance their resilience against evolving cyberattacks.
%20group%20%22Silver%20Fox,%22%20based%20in%20China.){kind=link}