New research from Forescout Technologies’ Vedere Labs has recognized that the healthcare sector continues to be a prime target for ransomware attacks. However, the threats facing this sector are not limited to ransomware alone. They also identified a campaign by the China-based APT group, Silver Fox, which exploited vulnerabilities in Philips DICOM viewers to install a backdoor, keylogger, and cryptocurrency miner on victim computers.
“While many of those attacks involved ransomware, impacting data availability and potentially disrupting patient care, other threats to healthcare organizations directly exploit medical applications,” Amine Amri, Sai Molige, Daniel dos Santos, and Forescout Research – Vedere Labs, detailed in a company blog post. “During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used by the Chinese threat actor Silver Fox to gain control of victim computers. In addition to the backdoor, victims were also infected with a keylogger and a crypto miner, a behavior not previously associated with this threat actor.”
Silver Fox, also known as Void Arachne and The Great Thief of Valley, is an APT that has historically targeted Chinese-speaking victims and has been highly active since 2024.
Over the past year, the group has demonstrated evolving tactics, techniques, and procedures (TTPs) shifting its focus to a broader range of targets. Last June, Silver Fox was first identified targeting Chinese victims with malware that downloaded the trojan Winos 4.0, also known as ValleyRAT. This campaign leveraged SEO poisoning, social media, and messaging platforms to distribute malware disguised as AI applications or VPN software. Later that month, the group was observed deploying a modified version of ValleyRAT incorporating DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control (C2).
By July, a new analysis suggested that Silver Fox may be an APT masquerading as cyber criminals, as its targeting shifted to governmental institutions and cybersecurity companies. In August, a further campaign targeted e-commerce, finance, sales, and management enterprises; while by September, the group was observed using a TrueSight driver to disable antivirus software. In November, Silver Fox shifted its Winos/ValleyRAT distribution methods, leveraging gaming applications as a new delivery mechanism.
In January this year, the PNGPlug loader was first identified as part of the group’s TTPs, and this month, a new campaign was identified targeting finance, accounting, and sales professionals, aiming to steal sensitive data.
“The new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors,” the researchers noted. “Additionally, the group’s use of a crypto miner, detailed below, indicates the introduction of new TTPs into their campaigns.”
Forescout detailed that once downloaded, the Silver Fox malware decrypts the payloads and generates a malicious executable (second-stage malware) which is registered as a Windows-scheduled task. This task executes immediately and is configured to run at every user login, ensuring persistence on the infected system.
The second-stage malware loads the Cyren AV DLL containing injected code designed to evade debugging. It then enumerates system processes to identify various security software (detailed at the end of this report) and terminates them using TrueSightKiller.
“Once security defenses are disabled, the second stage downloads an encrypted file, decrypting it into the third-stage payload, the ValleyRAT backdoor and loader module, which communicates with a C2 server hosted in Alibaba Cloud,” the post added.
“ValleyRAT then retrieves additional encrypted payloads which, once decrypted, function as a keylogger and a crypto miner. All three final payloads (backdoor, keylogger, and crypto miner) achieve persistence on the victim through scheduled tasks. At the time of this analysis, the Alibaba Cloud storage buckets remained accessible, but the C2 server was already offline.”
Each stage of the malware incorporates encryption, obfuscation, and evasion techniques to resist detection and analysis. The obfuscation methods cover API hashing to conceal function calls; indirect API retrieval to avoid static analysis; and indirect control flow manipulation to hinder debugging and reverse engineering. The evasion techniques include long sleep intervals to delay execution and evade sandbox detection; system fingerprinting to tailor execution based on the target environment; masked DLL loading to avoid security monitoring; and RPC-based task scheduling and driver loading to bypass standard process monitoring.
Additionally, the malware also adds random bytes to both dropped and loaded files, making detection and file hash-based hunting significantly more challenging.
The Silver Fox campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain.
“While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant,” Forescout observed. “In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.”
To minimize risk and prevent unauthorized access, HDOs (healthcare delivery organizations) should implement various risk mitigation measures, including avoiding downloading software or files from untrusted sources; prohibiting loading of files from patient devices onto healthcare workstations or other network-connected equipment; and implementing strong network segmentation to isolate untrusted devices and networks (e.g. guest Wi-Fi) from internal hospital infrastructure.
They must also ensure that endpoints are protected with up-to-date antivirus or EDR solutions; continuously monitor network traffic and endpoint telemetry for suspicious activity; and proactively hunt for malicious activity that aligns with known threat actor behavior, ensuring early detection and response.
