A sophisticated malware campaign is actively distributing trojanized installers for popular applications like Telegram, WinSCP, Google Chrome, and Microsoft Teams to deploy ValleyRat, a potent remote access trojan. This campaign has been attributed to Silver Fox, a China-aligned advanced persistent threat (APT) group observed to be active since at least 2022. The threat actors are leveraging user trust in legitimate software to silently infiltrate systems, aiming for long-term compromise and data exfiltration.
Security researchers at Nextron Systems have meticulously detailed the entire infection chain, revealing a multi-layered approach to bypass defenses. The campaign utilizes cleverly disguised installers, sophisticated obfuscation techniques, and direct manipulation of endpoint security software to achieve its objectives. The primary distribution vector appears to be through spear-phishing emails or malicious advertisements that trick unsuspecting users into downloading what they believe to be genuine software packages.
Silver Fox Exploits Popular Apps for Data Theft with ValleyRat Malware
The malicious campaign orchestrated by Silver Fox centers on the deceptive distribution of compromised software installers. One prominent example identified by Nextron Systems involves a trojanized Telegram installer, identified by the SHA-256 hash 9ede6da5986d8c0df3367c395b0b3924ffb12206939f33b01610c1ae955630d1. This malicious file mimics the legitimate Telegram Desktop 6.0.2 interface, aiming to lull recipients into a false sense of security. However, subtle anomalies, such as a compiled PE header timestamp from 2019 and an unusually late first VirusTotal submission in August 2025, should raise suspicion.
Once executed, the deceptive installer initiates a covert process. It establishes a dedicated directory, typically C:ProgramDataWindowsData, and stores essential malicious components. Among these are a renamed 7-Zip binary (funzip.exe) and an encrypted archive masquerading as main.xml. This multi-stage deployment is crucial for evading initial detection by security software.
Infection Mechanism and Defense Evasion Tactics
A key defense evasion tactic employed by this campaign is the disabling of security software. The malware leverages PowerShell to create a broad exclusion rule for Microsoft Defender, encompassing the entire C: drive. This effectively neutralizes real-time antivirus scanning, allowing subsequent stages of the attack to proceed unimpeded.
Following the creation of the exclusion, the malware proceeds to extract the contents of the encrypted archive. This is achieved using the dropped 7-Zip binary with a specific, embedded password: “htLcENyRFYwXsHFnUnqK”. This extraction process deploys the core orchestrator component, men.exe.
The men.exe executable performs critical environmental reconnaissance. It actively scans for running security processes, specifically targeting Microsoft Defender’s MsMpEng.exe, as well as prominent Chinese security solutions like ZhuDongFangYu.exe and 360tray.exe. This scanning helps the malware tailor its actions to avoid detection by the specific security tools present on the victim’s system. The threat actors aim to ensure their presence remains undetected for as long as possible.
Persistence is a critical objective for APT groups, and Silver Fox achieves this through the creation of a carefully disguised scheduled task. Named WindowsPowerShell.WbemScripting.SWbemLocator, this task is designed to mimic legitimate Windows system components. It is configured to periodically execute an encoded VBScript, which in turn activates the ValleyRat beacon. This beacon establishes and maintains command-and-control (C2) communications with remote servers, enabling the attackers to remotely control the compromised system, exfiltrate data, and potentially deploy further malicious payloads.
The broader implications of this campaign highlight the ongoing threat posed by sophisticated APT groups that continuously adapt their tactics. By exploiting the inherent trust users place in widely used software, Silver Fox demonstrates a strategic approach to infection. The successful deployment of ValleyRat suggests a continued focus on gaining and maintaining access to sensitive information and critical infrastructure. Organizations must remain vigilant, ensuring their security software is up-to-date and that users are educated about the risks of downloading software from untrusted sources. Further analysis from cybersecurity researchers will likely uncover additional details about the full scope of this campaign and the specific objectives of the Silver Fox group.