A new cyber threat has emerged, attributed to the Silver Fox APT group, which is utilizing a sophisticated method to distribute a potent remote access trojan known as ValleyRAT. The campaign centers on a fake Telegram Chinese language pack installer, designed to appear as a harmless software update but in reality, a vehicle for malware deployment. This discovery highlights the persistent tactics of resourceful threat actors targeting users through social engineering and legitimate-looking tools.
The malicious installer, first identified on April 8, 2026, on the MalwareBazaar platform by security researcher CNGaoLing, represents a continuation of Silver Fox’s modus operandi. This group, also known by aliases such as SwimSnake and Void Arachne, has a well-documented history of impersonating popular Chinese-language software to compromise its targets. Previous operations by Silver Fox involved distributing malware through fake installers for applications like Teams, Zoom, and Signal, as well as emulating Taiwanese tax software.
The current campaign exemplifies this strategy by embedding the ValleyRAT payload within what users might perceive as a routine Telegram language configuration file. Such files are often considered benign by Chinese-speaking users, making them an effective lure for unsuspecting individuals. Breakglass Intelligence analysts were instrumental in identifying this operation, detailing its intricate six-stage infection chain meticulously crafted to bypass common Chinese antivirus solutions, including prominent products from Qihoo 360, Tencent PC Manager, and Huorong.
The Silver Fox Campaign Leverages Fake Installers for ValleyRAT Deployment
The tooling, infrastructure, and operational behaviors observed in this campaign strongly align with the Silver Fox threat cluster, according to Breakglass Intelligence. The primary malicious file, an MSI installer internally designated as “IssueAccentRequest” and built on March 24, 2026, was developed using the WiX Toolset framework. Significantly, it is engineered to remain undetected in the Windows Add/Remove Programs list, further enhancing its stealth capabilities.
Once executed, the ValleyRAT payload initiates communication with a command-and-control server located at 118.107.43.65, operating on port 5040. This server is hosted by CTG Server Ltd in Hong Kong, a provider known for offering bulletproof hosting services, which has been implicated in multiple prior Silver Fox operations. The reach of this attack is substantial, involving a secondary binary, “DesignAccent.exe,” which is deployed as a scheduled task. This component is believed to possess capabilities for capturing screenshots and potentially for covert steganographic communication.
A critical element of the malware’s evasion strategy is the wnBios kernel rootkit. This rootkit leverages a “Bring Your Own Vulnerable Driver” (BYOVD) technique, granting attackers direct read and write access to the system’s physical memory. This level of access allows adversaries to disable kernel-level security tools and effectively conceal the malware’s presence from the operating system’s legitimate monitoring mechanisms.
The Six-Stage Infection Chain Unpacked
The technical sophistication of this campaign is most evident in its meticulously designed six-step infection process, which guides the victim’s system from the initial, seemingly innocuous MSI file to a full compromise by ValleyRAT. Upon the victim executing the “a.msi” file, a VBScript custom action is triggered immediately post-file extraction. This script operates with full SYSTEM privileges and proceeds to deploy a legitimate, signed copy of the zpaqfranz archival tool, albeit renamed to “KhDzetMjQMsAGYw.exe.”
This legitimate tool is employed as a “Living-off-the-Land Binary” with the purpose of decompressing two nested ZPAQ archives. The outer archive is unencrypted, but the inner archive requires the password “1427aafwqYOGGlOahjE” for access. A subsequent XOR decryption step, utilizing the key 0x38 and applied to every 56th byte, finally reveals the ultimate payload of the attack. Security teams are advised to treat any execution of zpaqfranz outside of controlled developer or backup environments as a high-priority security event.
The infection chain is designed to be adaptive, dynamically adjusting its execution path based on the presence of specific antivirus products. If detection routines identify Qihoo 360 or Tencent PC Manager running on the system via a WMI query, the installer switches to a more evasive DLL sideloading technique. This involves placing malicious copies of “powrprof.dll” and “wsc.dll” alongside a legitimate, signed binary from ByteDance, named “SodaMusicLauncher.exe.” By injecting malicious code into a trusted, signed process, the malware circumvents security measures that Chinese-market security products typically permit. In instances where no major antivirus is detected, the payload executes directly from the C drive, foregoing the more complex evasion tactics.
To mitigate this threat, security teams should implement network perimeter blocks for the IP address 118.107.43.65 and the broader CTG Server netblock 118.107.40.0/21. Alerts should be configured for MSI installations that involve VBScript custom actions of type 7238 initiating PowerShell executions. Furthermore, ongoing hunts for suspicious process names such as “GjdLUhqZIJJB.exe,” “SingMusice.exe,” and “DesignAccent.exe” are recommended. Suspicious zpaqfranz executions on standard workstations warrant immediate investigation. Monitoring for the “AppShellElevationService” registered with non-standard binary paths, and vigilant observation for kernel driver load events that match the wnBios PDB signature, are also crucial defensive measures. Chinese-speaking users are strongly encouraged to exercise extreme caution when downloading language packs or configuration files from any sources other than official application channels to avoid falling victim to such deceptive tactics.
The ongoing nature of APT campaigns like this one indicates a continuous effort by threat actors to refine their evasion techniques. Users and organizations, particularly those within the Chinese-speaking community or interacting with Chinese-language software, should remain vigilant. Future iterations of this campaign might involve new lures or adjustments to the infection chain to circumvent evolving security measures. Staying informed about emerging threats and implementing robust endpoint detection and response (EDR) solutions remain paramount in defending against sophisticated malware like ValleyRAT.