- \n
- Healthcare remains a top target for ransomware. However,<\/strong> threats to the sector extend beyond ransomware.<\/strong><\/li>\n
- We identified a campaign by the China-based APT Silver Fox, which exploited Philips DICOM viewers to deploy a backdoor, keylogger, and a crypto miner on victim computers.<\/li>\n<\/ul>\n
Mitigation Recommendations for Healthcare Delivery Organizations (HDOs)<\/strong><\/p>\n
- \n
- Avoid downloading software or files from untrusted sources, including patient devices.<\/li>\n
- Implement network segmentation to isolate untrusted devices\/networks from internal systems.<\/li>\n
- Run up-to-date antivirus or endpoint detection and response (EDR) solutions.<\/li>\n
- Continuously monitor all network traffic and endpoint telemetry to detect the IoCs listed below.<\/li>\n<\/ul>\n
UPDATE:<\/strong> Forescout Research \u2013 Vedere Labs has no evidence that Philips or Philips medical devices were hacked to distribute malicious versions of their DICOM Viewer. The threat actor involved in this campaign is known for using techniques, such as phishing and watering holes to distribute malware. Past campaigns<\/a> targeting DICOM viewers (not from Philips) used the same techniques.<\/em><\/p>\n
\nHealthcare was the most targeted critical infrastructure<\/a> sector in both 2023 and 2024. While many of those attacks involved ransomware<\/a>, impacting data availability and potentially disrupting patient care, other threats to healthcare organizations directly exploit medical applications.<\/p>\n
During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT<\/a>, a backdoor remote access tool (RAT) used by the Chinese threat actor Silver Fox to gain control of victim computers. In addition to the backdoor, victims were also infected with a keylogger and a crypto miner, a behavior not previously associated with this threat actor.<\/p>\n
Below, we provide a detailed analysis of this new Silver Fox campaign and outline mitigation strategies to reduce risk.<\/p>\n
Identified Malware Cluster<\/h2>\n
The malware cluster we uncovered contained trojanized versions of
MediaViewerLauncher.exe<\/code>, the primary executable for the Philips DICOM viewer<\/a>. All identified samples were submitted to VirusTotal from the United States or Canada between December 2024 and January 2025.<\/p>\nPivoting off the initial 29 samples, we identified numerous additional instances masquerading as other types of software. These samples (collected between July 2024 and January 2025) exhibit common traits, such as PowerShell defense evasion techniques, distinctive process execution patterns, and shared file system artifacts.<\/p>\n
Notably, the samples demonstrate evolutionary behavior, suggesting ongoing malware development:<\/p>\n
- \n
- July 2024<\/strong>: 12 samples exhibited basic defense evasion, employing a single PowerShell exclusion command, simple process chains, and minimal use of system utilities.<\/li>\n
- August 2024<\/strong>: 13 samples introduced multiple PowerShell exclusion commands, more complex process chains, and expanded use of system utilities.<\/li>\n
- October 2024 – December 2024<\/strong>: 3 samples indicated further advancements incorporating additional exclusion paths and new file system actions.<\/li>\n
- January 2025<\/strong>: 2 samples demonstrated multiple layers of PowerShell commands, reflecting advanced evasion techniques.<\/li>\n<\/ul>\n
The latest malware samples masquerade as legitimate software, including
MediaViewerLauncher.exe<\/code> for the DICOM Viewer andemedhtml.exe<\/code> for EmEditor. Additionally, some samples were disguised as system drivers and utilities, such asx64DrvFx.exe<\/code>.<\/p>\nSilver Fox ATP History<\/h2>\n
Silver Fox, also known as Void Arachne<\/a> and The Great Thief of Valley<\/a>, is an APT that has historically targeted Chinese-speaking victims and has been highly active since 2024. Over the past year the group has demonstrated evolving tactics, techniques, and procedures (TTPs) shifting its focus to a broader range of targets:<\/p>\n
- \n
- June<\/strong> 2024:<\/strong> Silver Fox was first identified<\/a> targeting Chinese victims with malware that downloaded the trojan Winos 4.0, also known as ValleyRAT. This campaign leveraged SEO poisoning, social media and messaging platforms to distribute malware disguised as AI applications or VPN software.<\/li>\n
- June<\/strong> 2024:<\/strong> Later that month, the group was observed deploying a modified version of ValleyRAT<\/a> incorporating DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control (C2).<\/li>\n
- July 2024:<\/strong> A new analysis<\/a> suggested that Silver Fox may be an APT masquerading as cybercriminals, as its targeting shifted to governmental institutions and cybersecurity companies.<\/li>\n
- August 2024:<\/strong> A further campaign<\/a> targeted e-commerce, finance, sales, and management enterprises.<\/li>\n
- September 2024:<\/strong> The group was observed<\/a> using a TrueSight driver to disable antivirus software.<\/li>\n
- November 2024:<\/strong> Silver Fox shifted its Winos\/ValleyRAT distribution methods<\/a>, leveraging gaming applications as a new delivery mechanism.<\/li>\n
- January 2025:<\/strong> The PNGPlug loader<\/a> was first identified as part of the group\u2019s TTPs.<\/li>\n
- February 2025:<\/strong> A new campaign was identified<\/a> targeting finance, accounting and sales professionals, aiming to steal sensitive data.<\/li>\n<\/ul>\n
The new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors. Additionally, the group\u2019s use of a crypto miner, detailed below, indicates the introduction of new TTPs into their campaigns.<\/p>\n
Overview of Malware Behavior: From DICOM Viewer to ValleyRAT<\/h2>\n
The samples in this cluster, including
MediaViewerLauncher.exe<\/code>, function as first-stage payloads that may be delivered through multiple vectors. While we cannot confirm the exact distribution method, Silver Fox has a history of using SEO poisoning and phishing to propagate its malware.<\/p>\nThe figure below illustrates the malware\u2019s execution flow, from the initial infection stage to the deployment of its final payloads. A detailed breakdown of its behavior follows in the next section.<\/p>\n
![\"\"](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/Silver-Fox-ATP-activity-diagram.webp\")
<\/p>\nThe first-stage malware performs two key preparatory functions before executing additional payloads:<\/p>\n
- \n
- Beaconing and Reconnaissance:<\/strong> It runs native Windows utilities such as
ping.exe<\/code>,find.exe<\/code>,cmd.exe<\/code> andipconfig.exe<\/code> to check if the system can reach the C2 server.<\/li>\n- Security Evasion via PowerShell Exclusions:\n
- \n
- August 2024:<\/strong> Introduced PowerShell commands to exclude certain paths from Windows Defender scanning, preparing the system for further malware stages.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Add-MpPreference -ExclusionPath 'C:\\ProgramData','C:\\Users\\Public' -Force<\/code><\/p>\n- \n
- \n
- \n
- December 2024 – January 2025:<\/strong> Expanded exclusions to additional system directories, increasing stealth:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Add-MpPreference -ExclusionPath 'C:\\','C:\\ProgramData','C:\\Users','C:\\Program Files (x86)' -Force<\/code><\/p>\nAfter executing these preparatory steps, the first stage contacts an Alibaba Cloud bucket to download several encrypted payloads disguised as image files. These payloads, detailed at the end of this report, include:<\/p>\n
- \n
- TrueSightKiller<\/a><\/li>\n
- A Cyren<\/a> AV DLL and executable<\/li>\n
- Other auxiliary files and shellcode<\/li>\n<\/ul>\n
Once downloaded, the malware decrypts the payloads and generates a malicious executable (second-stage malware) which is registered as a Windows scheduled task. This task executes immediately and is configured to run at every user login, ensuring persistence on the infected system.<\/p>\n
The second-stage malware loads the Cyren AV DLL containing injected code designed to evade debugging. It then enumerates system processes to identify various security software (detailed at the end of this report) and terminates them using TrueSightKiller.<\/p>\n
Once security defenses are disabled, the second stage downloads an encrypted file, decrypting it into the third-stage payload, the ValleyRAT backdoor and loader module, which communicates with a C2 server hosted in Alibaba Cloud. ValleyRAT then retrieves additional encrypted payloads which, once decrypted, function as a keylogger and a crypto miner. All three final payloads (backdoor, keylogger and crypto miner) achieve persistence on the victim through scheduled tasks.<\/p>\n
At the time of this analysis, the Alibaba Cloud storage buckets remained accessible, but the C2 server was already offline.<\/p>\n
Each stage of the malware incorporates encryption, obfuscation and evasion techniques to resist detection and analysis. These include:<\/p>\n
- \n
- Obfuscation Methods:<\/strong>\n
- \n
- API hashing to conceal function calls.<\/li>\n
- Indirect API retrieval to avoid static analysis.<\/li>\n
- Indirect control flow manipulation to hinder debugging and reverse engineering.<\/li>\n<\/ul>\n<\/li>\n
- Evasion Techniques:<\/strong>\n
- \n
- Long sleep intervals to delay execution and evade sandbox detection.<\/li>\n
- System fingerprinting to tailor execution based on the target environment.<\/li>\n
- Masked DLL loading to avoid security monitoring.<\/li>\n
- RPC-based task scheduling and driver loading to bypass standard process monitoring.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Additionally, the malware also adds random bytes to both dropped and loaded files, making detection and file hash-based hunting significantly more challenging.<\/p>\n
Detailed Malware Analysis<\/h2>\n
The following analysis was conducted on an individual malware sample<\/a>, so the filenames and hashes presented here are specific to that sample. While other samples in the cluster use different filenames, their overall behavior remains consistent.<\/p>\n
The first-stage malware downloads an initial encrypted file named
i.dat<\/code> from an Alibaba Cloud bucket atvien3h[.]oss-cn-beijing[.]aliyuncs[.]com<\/code>. Thei.dat<\/code> file contains URLs for six additional files hosted in the same cloud bucket, which for the analyzed sample were nameda.gif<\/code>,b.gif<\/code>,c.gif<\/code>,d.gif<\/code>,s.dat<\/code> ands.jpeg<\/code>. These files are downloaded, decrypted and saved on the filesystem with new filenames. In the analyzed sample, the decrypted filenames wereinstall.exe<\/code>,vselog.dll<\/code>,WordPadFilter.db<\/code>,MsMpList.dat<\/code> and189atohci.sys<\/code>. Thes.jpeg<\/code>\u00a0 file was not decrypted into a separate file, but was directly processed as shellcode in memory.<\/p>\nThe shellcode begins by scanning process memory for
kernel32.dll:GetProcAddress<\/code> (hash:0x1ab9b854<\/code>). It then usesGetProcAddress<\/code> to retrieve the addresses of the following critical functions:LoadLibraryA<\/code>,VirtualAlloc<\/code>,VirtualFree<\/code> andlstrcmpiA<\/code>. Next the malware loadsntdll<\/code> and retrieves from it the address ofRtlZeroMemory<\/code> andRtlMoveMemory<\/code>. These functions are subsequently used for memory manipulation and payload unpacking. The shellcode then callsVirtualAlloc<\/code> to allocate memory and unpacks a malicious DLL that will later be used for RPC-based task scheduling of malicious binaries.<\/p>\nThe shellcode then loads
RPCRT4.dll<\/code> and retrieves references for RPC-related functionsRpcBindingFromStringBindingW<\/code>,RpcStringFreeW<\/code>,RpcBindingComposeW<\/code>,NdrClientCall3<\/code> andRpcBindingSetAuthInfoExA<\/code>. Additionally, it loadsKERNEL32.dll<\/code> and retrieves references forHeapAlloc<\/code> andHeapFree<\/code>. The malware leverages a function from the persistence DLL that utilizes the named pipe\\\\pipe\\atsvc<\/code> to create a string binding in the formncacn_np:[\\\\\\pipe\\\\\\\\atsvc]<\/code>. It then creates an RPC binding and executesNdrClinetCall3<\/code> with the following XML task description:<\/p>\n
\n<?xml version=\"10\" encoding=\"UTF-16\"?>
\n<Task version=\"12\"
\nxmlns=\"http:\/\/schemasmicrosoft.com\/windows\/2004\/02\/mit\/task\">
\n<RegistrationInfo>
\n<Description><\/Description>
\n<\/RegistrationInfo>
\n<Triggers>
\n<LogonTrigger>
\n<Enabled>true<\/Enabled>
\n<\/LogonTrigger>
\n<RegistrationTrigger>
\n<Enabled>true<\/Enabled>
\n<\/RegistrationTrigger>
\n<TimeTrigger>
\n<Repetition>
\n<Interval>PT1M<\/Interval>
\n<StopAtDurationEnd>false<\/StopAtDurationEnd>
\n<\/Repetition>
\n<StartBoundary>2011-04-23T00:00:00<\/StartBoundary>
\n<Enabled>true<\/Enabled>
\n<\/TimeTrigger>
\n<\/Triggers>
\n<Principals>
\n<Principal id=\"Author\">
\n<GroupId>S-1-5-32-545<\/GroupId>
\n<RunLevel>HighestAvailable<\/RunLevel>
\n<\/Principal>
\n<\/Principals>
\n<Settings>
\n<MultipleInstancesPolicy>IgnoreNew<\/MultipleInstancesPolicy>
\n<DisallowStartIfOnBatteries>false<\/DisallowStartIfOnBatteries>
\n<StopIfGoingOnBatteries>true<\/StopIfGoingOnBatteries>
\n<AllowHardTerminate>false<\/AllowHardTerminate>
\n<StartWhenAvailable>true
\n<\/StartWhenAvailable>
\n<RunOnlyIfNetworkAvailable>false<\/RunOnlyIfNetworkAvailable>
\n<IdleSettings>
\n<StopOnIdleEnd>true<\/StopOnIdleEnd>
\n<RestartOnIdle>false<\/RestartOnIdle>
\n<\/IdleSettings>
\n<AllowStartOnDemand>true<\/AllowStartOnDemand>
\n<Enabled>true<\/Enabled>
\n<Hidden>true<\/Hidden>
\n<RunOnlyIfIdle>false<\/RunOnlyIfIdle>
\n<WakeToRun>false<\/WakeToRun>
\n<ExecutionTimeLimit>PT0S<\/ExecutionTimeLimit>
\n<Priority>4<\/Priority>
\n<\/Settings>
\n<Actions Context=\"Author\">
\n<Exec>
\n<Command>C:\\Users\\REDACTED\\Documents\\TO7RUF.exe<\/Command>
\n<WorkingDirectory>C:\\Users\\REDACTED\\Documents\\<\/WorkingDirectory>
\n<Arguments><\/Arguments>
\n<\/Exec>
\n<\/Actions>undefined
\n<\/Task>
\n<\/code><\/div>\n<\/p>\n
This schedules a Windows task to execute
TO7RUF.exe<\/code>, which corresponds to the Cyren AV executable (vseamps.exe<\/code> orinstall.exe<\/code>.) This task is configured to run immediately upon scheduling and then every time the current user logs in, ensuring persistence. After scheduling the task, the first-stage malware cleans all dynamically allocated memory and exits, effectively transitioning execution to the second stage.<\/p>\nThe second-stage malware begins by loading
vselog.dll<\/code> and jumping to itsDLLMain<\/code> function to check for the presence of a debugger and evade analysis. It also checks for the presence ofMsMpList.dat<\/code>, a key indicator used for further execution logic.<\/p>\nAnalyzing the second-stage payload requires setting a breakpoint on
RtlUserThreadStart<\/code> and monitoring theRCX<\/code> parameter passed to that function. Once executed, the malware loads and decryptsWordPadFilter.db<\/code> andMsMpList.dat<\/code>, writes both files into its own process memory usingWriteProcessMemory<\/code> and callsDisableThreadLibraryCalls<\/code> to prevent the debugger from intercepting DLL loading.<\/p>\nExecution then transitions to the decrypted shellcode from
WordPadFilter.db<\/code> andMsMpList.dat<\/code> shellcode, which scans for installed security software. If security software is detected, the malware uses RPC calls to load theTrueSightKiller<\/code> driver from189atohci.sys<\/code>, executesDeviceIoControl<\/code> to request IOCTL number0x22e044<\/code> with parameterMsMpEng<\/code> andNisSrv.exe<\/code> effectively terminating Windows Defender and disabling Windows native network monitoring, allowing the malware to operate undetected.<\/p>\nAfter disabling security defenses, the malware reconnects to the same Alibaba Cloud bucket and downloads four additional encrypted payloads named
FOM-50.jpg<\/code>,FOM-51.jpg<\/code>,FOM-52.jpg<\/code> andFOM-53.jpg<\/code>. These files are decrypted intoOKSave.exe<\/code> (produced in memory from a benignuninstall.exe<\/code> component of Internet Explorer),tbcore3U.dll<\/code>,log.src<\/code> andutils.vcxproj<\/code>. The execution flow proceeds as follows;OKSave.exe<\/code> loadstbcore3U.dll<\/code>, which in turn unpacks and executes malware fromlog.src<\/code> andutils.vcxproj<\/code>, deploying both a crypto miner and a keylogger, which stores logs inC:\\xxxx.in<\/code>.<\/p>\nAt this stage, three persistent malicious executables reside on the system: the
ValleyRAT<\/code> backdoor, the keylogger and the crypto miner. These malware components are scheduled to run either at system boot or upon scheduled task creation. The malware communicates with its C2 server hosted on Alibaba Cloud at8.217.60[.]40:8917<\/code>.<\/p>\nConclusion and Mitigation Recommendations<\/h2>\n
Our investigation uncovered a new campaign involving sophisticated and rapidly evolving malware deployed by a Chinese threat actor. This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain.<\/p>\n
While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant. In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home<\/a> programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.<\/p>\n
To minimize risk and prevent unauthorized access, HDOs should implement the following risk mitigation measures:<\/p>\n
- A Cyren<\/a> AV DLL and executable<\/li>\n
- TrueSightKiller<\/a><\/li>\n
- December 2024 – January 2025:<\/strong> Expanded exclusions to additional system directories, increasing stealth:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Security Evasion via PowerShell Exclusions:\n
- June<\/strong> 2024:<\/strong> Later that month, the group was observed deploying a modified version of ValleyRAT<\/a> incorporating DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control (C2).<\/li>\n
- August 2024<\/strong>: 13 samples introduced multiple PowerShell exclusion commands, more complex process chains, and expanded use of system utilities.<\/li>\n
- July 2024<\/strong>: 12 samples exhibited basic defense evasion, employing a single PowerShell exclusion command, simple process chains, and minimal use of system utilities.<\/li>\n
- We identified a campaign by the China-based APT Silver Fox, which exploited Philips DICOM viewers to deploy a backdoor, keylogger, and a crypto miner on victim computers.<\/li>\n<\/ul>\n