Silver Fox Hackers Use Malicious Google Translate Tools to Deploy Windows Malware

An uptick in attack activity by the Silver Fox cybercrime group has been detected across the Chinese internet since early 2024, leveraging counterfeit versions of popular tools such as Google Translate to distribute malware.

Security researchers at Knownsec 404 Advanced Threat Intelligence Team report that attackers are creating persuasive fake websites mimicking legitimate downloads, including translation utilities and office suites, luring users into installing trojans that can compromise their devices.

These elaborate phishing campaigns begin with lookalike websites for widely-used applications—such as Google Translate, currency converters, and even well-known Chinese utilities such as WPS Office and Bit Browser.

Users visiting these fraudulent pages are often met with unexpected prompts, for example, warnings about outdated Flash Player versions, which redirect them to attacker-controlled download servers.

When users install the offered packages, malicious payloads are quietly deployed, setting the stage for system compromise.

Modular Payload Delivery

The typical infection chain, as analyzed by researchers, employs MSI or EXE installation packages that both ultimately drop the same core Trojan: a derivative of the “Winos” remote control malware.

The MSI installer, for example, executes auxiliary components and batch scripts that deploy and persistently run the main payload, impersonating legitimate system processes such as javaw.exe and Microsoftdata.exe.

These payloads are designed for stealth and persistence. Once installed, the malware modifies the Windows registry to ensure continued execution on reboot, and further leverages loader DLLs and encrypted configuration files such as Xps.dtd to execute second-stage shellcode.

The decrypted code typically loads further payloads, with internal identifiers referencing variants like “RexRat4.0.3”, though analysis confirms the principal functions remain aligned with the Winos Trojan family.

Winos is distinguished by its highly modular framework, supporting a suite of plugins designed for extensive surveillance and data exfiltration.

Capabilities include capturing screenshots, logging keystrokes, and harvesting clipboard contents from infected systems.

The malware’s adaptability has allowed criminal operators, and even advanced persistent threat (APT) actors, to repeatedly repurpose and repackage the core code for new phishing campaigns, typically focused on achieving broad distribution by hijacking the branding of trusted applications.

Growing Ecosystem

The continuous evolution of Silver Fox’s malicious toolkit is a direct result of leaked source code for Winos and similar remote access trojans circulated in underground forums.

This has enabled a wider array of threat actors to customize and distribute the malware, creating an aggressive ecosystem where fake application downloads, SEO poisoning, and fraudulent institutional websites routinely appear in the wild.

Researchers emphasize that users must exercise increased vigilance installing software only from official sources, avoiding cracked or third-party installers, and keeping security protocols up to date.

With Silver Fox’s operations deeply eroding trust in the broader internet download environment, the burden of defense now rests equally on end users, organizations, and security vendors to counter these threats.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates