Related Families: ValleyRAT
Verticals Targeted: Medical
Executive Summary
Chinese threat actor Silver Fox was recently observed targeting medical devices in a sophisticated campaign that delivers multiple malware families, including ValleyRAT.
Key Takeaways
- Chinese threat actor Silver Fox was recently observed targeting medical devices in a sophisticated campaign that delivers multiple malware families, including ValleyRAT.
- In the campaign, the threat actors weaponized DICOM viewers, which are used for medical imaging, to deliver a multi-stage malware payload.
- The activity began in mid-2024 and has continued into early 2025.
- Silver Fox is a China nexus threat actor group that was previously involved in financially motivated crimes and has apparently shifted its focus to healthcare targets.
The Campaign
Chinese threat actor Silver Fox was recently observed targeting medical devices in a sophisticated campaign that delivers multiple malware families, including ValleyRAT. Silver Fox has shifted its focus to the healthcare sector, weaponizing DICOM viewers—software critical for viewing medical imaging like X-rays and MRIs—into a delivery mechanism for a multi-stage malware payload. Forescout reported on this activity and clarified they did not specifically observe Philips brand DICOM viewers being compromised.
Observed evolving since mid-2024, this operation reflects a calculated escalation in tactics, blending stealth, persistence, and a clear intent to exploit healthcare’s unique vulnerabilities. Between July 2024 and January 2025, Forescout researchers identified 29 malicious samples uploaded from North American IP ranges (US and Canada). This indicates a refined attack chain designed to evade detection and maximize impact. Infected endpoints, particularly in “hospital-at-home” scenarios or patient-owned devices, could serve as vectors into clinical networks, threatening data integrity or operational continuity.
The infection process unfolds methodically. Initial execution triggers lightweight reconnaissance in the form of system pings and IP lookup, followed by manipulation of Windows Defender exclusions to shield critical directories. The malware then retrieves encrypted payloads from an Alibaba Cloud storage bucket, leveraging legitimate infrastructure for obfuscation. Among the tools deployed is TrueSightKiller, a utility that disables antivirus defenses, paving the way for heavier components: ValleyRAT, a remote access Trojan enabling full system control; a keylogger for credential theft; and a cryptominer to drain system resources. Advanced evasion techniques—API hashing, prolonged sleep intervals, and multi-layered encryption—underscore the group’s technical sophistication.
Who is Silver Fox?
Silver Fox, also known as Void Arachne or The Great Thief of Valley, is a China nexus threat actor group. The group has been active since at least 2024 and is known to target Chinese-speaking users with trojanized software—AI tools, VPNs, and gaming utilities—often distributed through Telegram or compromised websites. The group’s 2023 targeting of government and security entities hints at potential APT affiliations, masked under a veneer of financially motivated crime.
Their latest pivot, however, centers on healthcare, with a specific focus on the DICOM viewer’s MediaViewerLauncher.exe. While Silver Fox’s prior campaigns suggest a profit-driven motive—cryptomining and credential harvesting to fuel dark pool markets—the healthcare focus raises red flags. PolySwarm analysts consider Silver Fox to be an evolving threat.
IOCs
PolySwarm has multiple samples associated with this activity.
abd903bad26d190210954cac00f5d96d43fcb4a89823337e1669977b50a122f8
2074ec1d3f58b19bd398b45af71b9853d6c3a0fa7c7145d76208601cfb05d1d6
f06bd6e7a237c90800c09a584bd55ea5feaba92c29449c2bdfb8b93d0b830a78
8d5b4082253df5256772f0578a7f568b123d50e615cd76b9530dd80b29cb326a
614d64e2128cd8fc169c27fe204b85bca59482d381ae1cbfe705498fe46b0a95
213ed93b19f0130313933a700cafbaa27bef8e1a60157b225959624a4c875068
67b1a2e2135e32521f5c73e609ea9b4880af7827e357e92689aa250d3849d7da
62f43b9c64c262fb907a36f5d8af7d8e9515cabf3c5d2b522fe3e2d995056e90
9f24f06f4b2341d285a5c3aca32b2992628b43a16ad8db65d73148d190942194
70a5276147d9f07b886f8537c869d8983b75efaaffe47bdedaf1b5f4fbc8022f
ce7a94842dab8193e49dc0cde2e7ba1444d447d62db10e46ef170914f657d1f5
f993e9a76b1a7a23443a6fa481bba54ec2ad97c4c30e2d7f753fc3d107b9653e
d8f4ce58ecd7a79014f9f97998bc5d9ae4fa4616b6f023d7e42bd94f64776b4e
32c451737246a8343d7975c5d6372f885e376339683bcfef25107226b10e6290
6e71e6b3a56db2c349c19cb20e5bc1eb87f98bd61af27887e73935bed3c5e2ac
ff136fe84af8795f61581b70fbe2e9414785efa3c607fda5fcab90d54cd14c58
fa0834d1bfed5f3126549c5382ab0f4661a9acf10224ed06cdfa69b90d800283
84f7ca5e09b2b3a4da145b1d43f23e0d3e93c208cd0f22b8b08efe5d4c45f38b
9fdbb9e0339723c090064c53e2233ff59f6af6a944d5dbfa856f9a7961081da5
ee4e724f76dbcce7cae2da7ece76312581199d02cfee92ddce9c5229e7f2ee5d
445072e538481ea4d3b68474fdaf0a66d3c319bf17b5aa67762d2e8bbbc5c14c
f5ee9514446bde4267ac1abcc6944c4abdbb384f00c4c5b9ca2e5444332b0d97
df1c6479002495d8d5b9cce0b0c333f4b653c78ac803ec4abd5031f920b3f1fa
d36c6ed9da54a00013cbefe05027126d414061c5fab6751a82e28de4a2d44226
54ef199324122a373d4d5a1765565fc56a2781e7a6e622bd2a84a3dbac28031c
8f1b46d88c5aed8c653f64d69b3acf04837e8b0df2a3d282b265cea7da324ca2
5dff4297730bbc999d7e25f9bf596048bd39e0acf17d842c03e34415e61a1747
f919634ac7e0877663fff06ea9e430b530073d6e79eee543d02331f4dff64375
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -t SilverFox
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
