Chinese Threat Group Silver Fox Delivers RATs and Rootkits via Fake Software Installers and Medical Imaging Tools
July 2nd, 2025
Severity Level: High

Technical Details
Threat Actor: Silver Fox (aka Void Arachne, “The Great Thief of the Valley”).
Severity: High.
Target Sectors: Chinese-speaking user base, healthcare providers, critical infrastructure.
Delivery Vectors:
Fake Chinese-language websites impersonating WPS Office, DeepSeek, and Sogou.
Weaponized MSI installers and PE executables.
Fake Philips DICOM imaging viewers.
Phishing, SEO poisoning, and gaming applications.
First identified in June 2024, Silver Fox has launched multiple campaigns using fake websites and spoofed installers to deploy Sainbox RAT (a Gh0st RAT variant), ValleyRAT (aka Winos 4.0), and the open source ‘Hidden’ rootkit. They use DLL sideloading via files such as shine.exe and libcef.dll, leveraging shellcode from .txt files to execute embedded malware that has backdoors, keyloggers, persistence modules, and crypto miners. These malicious programs are often obfuscated and distributed through cloud-hosted infrastructure, such as Alibaba Cloud.
Our Cyber Threat Intelligence Unit has identified an ongoing threat campaign orchestrated by a China-linked group known as Silver Fox (also referred to as Void Arachne). This sophisticated group is actively distributing malware through fake software websites and weaponized medical imaging tools, targeting both individual users and critical infrastructure sectors such as healthcare. The group leverages DLL sideloading, injection, and rootkit-based stealth to deploy malware like Sainbox RAT, ValleyRAT, and the ‘Hidden’ rootkit. Victims are lured through phishing, SEO poisoning, and spoofed websites that impersonate trusted software, such as WPS Office and Philips DICOM viewers. These techniques allow the group to establish persistent and covert access while evading traditional detection mechanisms.

Impact
Successful exploitation can result in:
Full system compromise via backdoors and rootkits.
Stealthy persistence through registry and driver manipulation.
Credential harvesting, keylogging, and potential lateral movement.
Healthcare exposure through infected patient devices and fake DICOM tools.
Cloud-based malware delivery, evading perimeter defenses.
Crypto mining and data exfiltration via ValleyRAT and associated payloads.
Silver Fox's continued use of trusted software brands (e.g., Microsoft-signed packages, DICOM viewers) allows them to bypass user suspicion and legacy AV defenses. Their tools suppress endpoint detection through evasion techniques such as DLL sideloading, indirect API calls, and AV process termination.
Detection Method
To identify signs of exposure or exploitation:
Analyze DNS, firewall, and proxy logs for access to suspicious Chinese-language software sites.
Inspect system paths for DLLs, such as libcef.dll, and binaries, like shine.exe.
Monitor for:
MSI/PE execution from unknown directories.
Encrypted file downloads from Alibaba Cloud or unfamiliar domains.
Registry keys modified for persistence.
Scheduled tasks created post-installation.
Watch for usage of known AV-killer tools (e.g., TrueSightKiller).
Check for obfuscated shellcode or dropped .txt files in installers.
Scan endpoints for unauthorized drivers or signs of mini-filter rootkits.
Indicators of Compromise
File Name | shine.exe | Legitimate executable used to sideload malicious DLLs |
File Name | libcef.dll | Malicious DLL used in DLL sideloading chain |
File Name | 1.txt | Contains shellcode used to reflectively load additional malware |
File Name | MediaViewerLauncher.exe | First-stage loader disguised as a Philips DICOM viewer |
File Name | TrueSightKiller.exe | Open-source AV killer tool used to terminate security processes |
File Hash (SHA256) | ba9cf6a733d207df0b35153e37b8963a5c49091ea420fb31786d404ebf4e78d3 | Sainbox RAT installer (used in ClickOnce campaign, also seen in Silver Fox TTPs) |
Domain | wpsice[.]com | Fake WPS Office site distributing malicious installers |
Domain | deepseekai[.]xyz | Fake DeepSeek software site used in infection campaigns |

Recommendations
Block access to known malicious domains (e.g., wpsice[.]com) and enforce URL filtering.
Harden email and endpoint defenses against MSI and PE-based malware delivery.
Use allow-listing to prevent unapproved software installations.
Monitor for unexpected file system or registry changes linked to malware persistence.
Patch AV/EDR systems to recognize evasion tactics (e.g., rootkit driver activity, obfuscated shellcode).
Apply network segmentation to isolate patient devices and unknown endpoints in hospital settings.
Educate staff and users on the importance of avoiding downloads from unofficial websites.
Hunt for AV-killer tools and suspicious task scheduler entries.
Conclusion
Silver Fox’s campaign poses a significant risk to both individual users and critical sectors, such as healthcare. Their ability to disguise malware as trusted applications, from office software to medical imaging tools, makes their attacks highly effective and difficult to detect. The use of DLL sideloading, stealth rootkits, modular loaders, and cloud-hosted payloads allows them to maintain long-term access with minimal user interaction. We urge organizations, especially those in healthcare and government, to proactively enhance their security measures, isolate untrusted devices, and search for signs of this persistent threat actor.
References
https://thehackernews.com/2025/06/chinese-group-silver-fox-uses-fake.html
https://www.securityweek.com/chinese-hackers-target-chinese-users-with-rat-rootkit
https://www.onsitecomputing.net/2025/06/27/chinese-group-silver-fox-uses-fake-html
https://www.infosecurity-magazine.com/news/chinese-silver-fox-backdoors
https://www.hipaajournal.com/silver-fox-threat-group-targets-healthcare-dicom-installers