Silver Fox also known as Void Arachne or The Great Thief of Valley is a state-sponsored advanced persistent threat group from China, active since 2024 and notorious for sophisticated cyber espionage and data theft campaigns.
Recent technical analyses confirm the group’s targeted attacks across healthcare, government, and critical infrastructure sectors, notably leveraging weaponized legitimate software to deliver multi-stage remote access threats and neutralize endpoint protection.
Multi-Stage Attack Chain
The latest campaign of Silver Fox APT, confirmed by incident responders, centers around a trojanized version of the Philips DICOM medical imaging viewer, specifically a backdoored “MediaViewerLauncher.exe.”
This file, often distributed via SEO poisoning, spear-phishing, or as part of manipulated installers for popular software like Chrome, VPN clients, or trending AI tools, masquerades as legitimate utilities frequently used in healthcare and public sector environments.
Upon execution, this weaponized binary contacts an attacker-controlled Alibaba Cloud OSS bucket to retrieve an encrypted configuration file (i.dat).
According to Picus Security Report, this file stores download instructions and encryption keys for subsequent payloads disguised as benign image or data files (e.g., a.gif, b.gif, s.jpeg).
These payloads, when decrypted, provide the next stage binaries and shellcode required to propagate the infection further.
The malware executes a range of native Windows utilities such as cmd.exe, ping.exe, and ipconfig.exe, both for reconnaissance and validation of internet connectivity.
To evade detection, it issues PowerShell commands (using Add-MpPreference) that configure Windows Defender to exclude specific directories strategically those most likely to receive malware payloads from scanning.
This tactic is particularly effective in allowing the second and third-stage components to be written to disk and executed without interference.
Persistence is achieved through automated creation of scheduled tasks via Windows Task Scheduler, ensuring both immediate and recurring execution of subsequent loader and payload modules upon user logon or system reboot.
Covert Data Exfiltration
Following establishment of persistence, the malware executes in-memory shellcode to unwind a malicious DLL loader, employing API hashing and indirect function resolution to thwart static detection.
The loader interacts with RPC libraries to instantiate scheduled tasks, such as running a renamed Cyren AV executable (serving as a host DLL for malicious code) and loading additional components via encrypted payloads.
A critical feature of the second stage is its enumeration of endpoint security products using information extracted from MsMpList.dat.
If security software such as Windows Defender (MsMpEng.exe) or NIS (NisSrv.exe) is found, Silver Fox employs a “Bring Your Own Vulnerable Driver” (BYOVD) technique loading a signed but vulnerable driver (189atohci.sys, “TrueSightKiller”) to attain privileged access and forcibly terminate AV/EDR processes.
This ensures that advanced components such as the ValleyRAT (aka Winos 4.0) remote access trojan can be installed and operated silently.
In the tertiary stage, ValleyRAT is deployed along with a keylogger and cryptocurrency miner, all controlled via scheduled tasks for long-term persistence.
ValleyRAT establishes covert C2 communications while the keylogger and miner operate in the background capturing credentials and silently hijacking system resources for illicit Monero mining.
Payload updates and additional modules are continuously fetched from Alibaba Cloud storage, encrypted and disguised as innocuous files.
Specialists advise organizations to deploy robust EDR/XDR solutions capable of detecting memory-only attacks, PowerShell abuse, and suspicious task scheduling.
Application allowlisting, strict email/web security, and network segmentation are paramount.
Blocking known vulnerable drivers, enforcing logging, and ongoing threat simulation exercises (such as via the Picus Security Validation Platform) are recommended to proactively identify and close security gaps against evolving APT strategies.
Regular incident readiness drills and threat intelligence monitoring remain essential as Silver Fox APT continues to adapt its tradecraft.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
