Cybersecurity researchers have uncovered a sophisticated campaign by the Chinese-linked APT group Silver Fox, which is weaponizing fake medical imaging software to infiltrate healthcare and public sector networks. The attacks use malware-disguised Philips DICOM viewer applications to secretly install the notorious ValleyRAT framework.
Who is Silver Fox APT? How the Attack Chain Works?
Silver Fox APT is the name given to a Chinese advanced persistent threat (APT) group known for conducting cyber-espionage operations, particularly against public sector institutions, healthcare, and critical infrastructure across the Asia-Pacific and North America.
Attackers begin by distributing trojanized executables like MediaViewerLauncher.exe that masquerade as Philips DICOM viewers or EmEditor utilities. When opened, these files connect to an Alibaba Cloud bucket, retrieve encrypted payloads, and use embedded shellcode to decrypt them in memory. They then run Windows commands (ping.exe, cmd.exe, ipconfig.exe) for reconnaissance and execute PowerShell to exclude key directories from Windows Defender scanning.
Next, the malware installs TrueSightKiller, a vulnerable driver that disables antivirus and endpoint defenses through a “Bring Your Own Vulnerable Driver” method. Finally, a scheduler registers ValleyRAT along with a keylogger and cryptominer, ensuring persistent remote access and data theft.
Researchers have found 29 malware samples deployed since mid-2024, showing a rising trend toward targeting English-speaking regions such as the US and Canada. Silver Fox also uses phishing lures tied to government or salary notifications, signed with stolen certificates, to trick users into running the malicious installers.
This strategy is particularly dangerous for healthcare settings. Infected personal devices used by patients or staff could act as entry points into larger hospital networks—potentially endangering sensitive systems and patient data.
With its layered evasion techniques and trusted-looking software disguise, Silver Fox’s campaign highlights a growing threat vector in cybersecurity. Healthcare providers should strictly avoid installing software from unverified sources, segment patient devices from core networks, enforce strong endpoint detection tools, monitor PowerShell and task logs, and block risky drivers to prevent such intrusions.
This tightly woven attack chain underscores how even seemingly harmless utilities can mask advanced threats and why vigilance and layered defenses are essential in today’s digital environment.
Grab more recent updates on our WhatsApp Channel
