Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Home/Threats/ValleyRAT Malware Hides in Fake Telegram Chinese Language Packs
Threats

ValleyRAT Malware Hides in Fake Telegram Chinese Language Packs

Key Takeaways A new malware campaign, linked to the China-affiliated Silver Fox APT group, is distributing the potent ValleyRAT remote access trojan. The threat actors are leveraging a deceptive...

Emy Elsamnoudy
Emy Elsamnoudy
April 9, 2026 4 Min Read
37 0

Key Takeaways

  • A new malware campaign, linked to the China-affiliated Silver Fox APT group, is distributing the potent ValleyRAT remote access trojan.
  • The threat actors are leveraging a deceptive Telegram Chinese language pack installer to infect systems.
  • The attack employs a sophisticated six-stage infection chain designed to bypass popular Chinese antivirus solutions.
  • The campaign incorporates a kernel rootkit (wnBios) for deep system compromise and evasion.

Silver Fox APT Deploys ValleyRAT via Fake Telegram Language Packs

A sophisticated new malware campaign, attributed to the persistent Silver Fox APT group, is actively exploiting a counterfeit Telegram Chinese language pack installer to surreptitiously deliver the powerful ValleyRAT remote access trojan (RAT) onto targeted machines. This operation highlights the group’s continued reliance on social engineering tactics tailored to Chinese-speaking users.

Table Of Content

  • Key Takeaways
  • Silver Fox APT Deploys ValleyRAT via Fake Telegram Language Packs
  • Silver Fox: A History of Deception
  • Advanced Evasion and System Compromise
  • The Six-Stage Infection Chain
  • What You Should Do

The malicious payload, packaged as an ordinary MSI installer, was first observed on MalwareBazaar on April 8, 2026, by security researcher CNGaoLing. The file masquerades as a legitimate language configuration utility, a common download for many Chinese-speaking Telegram users, making it appear harmless.

Silver Fox: A History of Deception

The Silver Fox APT group, also known by aliases such as SwimSnake, UTG-Q-1000, and Void Arachne, is a cybercrime entity with established links to China. The group has a documented history of impersonating widely used Chinese-language software to ensnare victims. Previous campaigns have involved fake installers for popular communication platforms like Teams, Zoom, and Signal, as well as specific tools like Taiwan tax utilities.

This latest campaign adheres to Silver Fox’s established modus operandi, embedding malware within a file that appears to be a benign Telegram language configuration package. Such files are often downloaded and installed without scrutiny by users seeking to localize their applications.

Advanced Evasion and System Compromise

Analysts at Breakglass Intelligence were instrumental in identifying and detailing this campaign. Their research indicates a complex six-stage infection chain specifically engineered to circumvent prominent Chinese antivirus products, including Qihoo 360, Tencent PC Manager, and Huorong. The observed tactics, infrastructure, and operator behaviors align with high confidence to the Silver Fox threat cluster.

The core malicious file, an MSI package internally named “IssueAccentRequest” and built on March 24, 2026, utilizes the WiX Toolset framework. It is designed to evade detection by remaining hidden from the Windows “Add/Remove Programs” list. Upon successful execution, the ValleyRAT payload initiates communication with its command-and-control (C2) server at IP address 118.107.43.65 on port 5040. This C2 server is hosted by CTG Server Ltd in Hong Kong, a bulletproof hosting provider frequently associated with prior Silver Fox operations.

The campaign’s impact extends beyond initial compromise. A secondary binary, “DesignAccent.exe,” is deployed as a scheduled task, believed to possess capabilities for taking screenshots or engaging in steganographic communication. Furthermore, the threat actors deploy the wnBios kernel rootkit using a “Bring Your Own Vulnerable Driver” technique. This rootkit grants attackers direct read and write access to physical memory, enabling them to disable kernel-level security tools and effectively conceal the malware’s presence from the operating system.

The Six-Stage Infection Chain

The most technically intricate aspect of this campaign is its multi-layered, six-step infection process, which transforms an innocuous-looking MSI file into a complete system compromise.

The initial stage begins when a victim executes the “a.msi” installer. Immediately after file extraction, a VBScript custom action is triggered, executing with full SYSTEM privileges. This script then deploys a legitimate, digitally signed copy of the zpaqfranz archival tool (versions v60–v63.2), which is renamed to “KhDzetMjQMsAGYw.exe.” This Living-off-the-Land Binary is used to decompress two nested ZPAQ archives. The outer archive is unprotected, while the inner archive is secured with the password “1427aafwqYOGGlOahjE.” A final decryption step involves an XOR operation with key 0x38, applied every 56th byte, to unveil the ultimate payload. Security teams should consider any execution of zpaqfranz outside of development or backup contexts as a high-priority alert.

Following the unpacking stage, the infection chain demonstrates adaptive behavior based on the detected antivirus software. If a WMI query identifies Qihoo 360 or Tencent PC Manager on the system, the installer switches to a DLL sideloading technique. This involves using “SodaMusicLauncher.exe,” a legitimate and signed binary from ByteDance. Malicious versions of “powrprof.dll” and “wsc.dll” are placed alongside it, allowing the malware to inject its code within a trusted, signed process that is typically permitted by Chinese-market security products. If no major antivirus solution is detected, the payload is executed directly from the C drive.

What You Should Do

  • Block the C2 server IP address 118.107.43.65 and the broader CTG Server netblock 118.107.40.0/21 at your network perimeter.
  • Configure alerts for MSI installations where VBScript custom actions of type 7238 launch PowerShell processes.
  • Hunt for and monitor the process names GjdLUhqZIJJB.exe, SingMusice.exe, and DesignAccent.exe on your endpoints.
  • Treat any execution of zpaqfranz on standard user workstations as highly suspicious and investigate immediately.
  • Monitor for instances of AppShellElevationService registered with non-standard binary paths.
  • Watch for kernel driver load events that match the wnBios PDB signature.
  • Chinese-speaking users should exercise extreme caution and verify the authenticity of all language packs or configuration files, downloading them exclusively from official application channels.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Hackers Exploit Meta Business Manager Notifications for Phishing Attacks

Next Post

RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us