ValleyRAT Malware Hides in Fake Telegram Chinese Language Packs
Key Takeaways A new malware campaign, linked to the China-affiliated Silver Fox APT group, is distributing the potent ValleyRAT remote access trojan. The threat actors are leveraging a deceptive...
Key Takeaways
- A new malware campaign, linked to the China-affiliated Silver Fox APT group, is distributing the potent ValleyRAT remote access trojan.
- The threat actors are leveraging a deceptive Telegram Chinese language pack installer to infect systems.
- The attack employs a sophisticated six-stage infection chain designed to bypass popular Chinese antivirus solutions.
- The campaign incorporates a kernel rootkit (wnBios) for deep system compromise and evasion.
Silver Fox APT Deploys ValleyRAT via Fake Telegram Language Packs
A sophisticated new malware campaign, attributed to the persistent Silver Fox APT group, is actively exploiting a counterfeit Telegram Chinese language pack installer to surreptitiously deliver the powerful ValleyRAT remote access trojan (RAT) onto targeted machines. This operation highlights the group’s continued reliance on social engineering tactics tailored to Chinese-speaking users.
Table Of Content
The malicious payload, packaged as an ordinary MSI installer, was first observed on MalwareBazaar on April 8, 2026, by security researcher CNGaoLing. The file masquerades as a legitimate language configuration utility, a common download for many Chinese-speaking Telegram users, making it appear harmless.
Silver Fox: A History of Deception
The Silver Fox APT group, also known by aliases such as SwimSnake, UTG-Q-1000, and Void Arachne, is a cybercrime entity with established links to China. The group has a documented history of impersonating widely used Chinese-language software to ensnare victims. Previous campaigns have involved fake installers for popular communication platforms like Teams, Zoom, and Signal, as well as specific tools like Taiwan tax utilities.
This latest campaign adheres to Silver Fox’s established modus operandi, embedding malware within a file that appears to be a benign Telegram language configuration package. Such files are often downloaded and installed without scrutiny by users seeking to localize their applications.
Advanced Evasion and System Compromise
Analysts at Breakglass Intelligence were instrumental in identifying and detailing this campaign. Their research indicates a complex six-stage infection chain specifically engineered to circumvent prominent Chinese antivirus products, including Qihoo 360, Tencent PC Manager, and Huorong. The observed tactics, infrastructure, and operator behaviors align with high confidence to the Silver Fox threat cluster.
The core malicious file, an MSI package internally named “IssueAccentRequest” and built on March 24, 2026, utilizes the WiX Toolset framework. It is designed to evade detection by remaining hidden from the Windows “Add/Remove Programs” list. Upon successful execution, the ValleyRAT payload initiates communication with its command-and-control (C2) server at IP address 118.107.43.65 on port 5040. This C2 server is hosted by CTG Server Ltd in Hong Kong, a bulletproof hosting provider frequently associated with prior Silver Fox operations.
The campaign’s impact extends beyond initial compromise. A secondary binary, “DesignAccent.exe,” is deployed as a scheduled task, believed to possess capabilities for taking screenshots or engaging in steganographic communication. Furthermore, the threat actors deploy the wnBios kernel rootkit using a “Bring Your Own Vulnerable Driver” technique. This rootkit grants attackers direct read and write access to physical memory, enabling them to disable kernel-level security tools and effectively conceal the malware’s presence from the operating system.
The Six-Stage Infection Chain
The most technically intricate aspect of this campaign is its multi-layered, six-step infection process, which transforms an innocuous-looking MSI file into a complete system compromise.
The initial stage begins when a victim executes the “a.msi” installer. Immediately after file extraction, a VBScript custom action is triggered, executing with full SYSTEM privileges. This script then deploys a legitimate, digitally signed copy of the zpaqfranz archival tool (versions v60–v63.2), which is renamed to “KhDzetMjQMsAGYw.exe.” This Living-off-the-Land Binary is used to decompress two nested ZPAQ archives. The outer archive is unprotected, while the inner archive is secured with the password “1427aafwqYOGGlOahjE.” A final decryption step involves an XOR operation with key 0x38, applied every 56th byte, to unveil the ultimate payload. Security teams should consider any execution of zpaqfranz outside of development or backup contexts as a high-priority alert.
Following the unpacking stage, the infection chain demonstrates adaptive behavior based on the detected antivirus software. If a WMI query identifies Qihoo 360 or Tencent PC Manager on the system, the installer switches to a DLL sideloading technique. This involves using “SodaMusicLauncher.exe,” a legitimate and signed binary from ByteDance. Malicious versions of “powrprof.dll” and “wsc.dll” are placed alongside it, allowing the malware to inject its code within a trusted, signed process that is typically permitted by Chinese-market security products. If no major antivirus solution is detected, the payload is executed directly from the C drive.
What You Should Do
- Block the C2 server IP address 118.107.43.65 and the broader CTG Server netblock 118.107.40.0/21 at your network perimeter.
- Configure alerts for MSI installations where VBScript custom actions of type 7238 launch PowerShell processes.
- Hunt for and monitor the process names GjdLUhqZIJJB.exe, SingMusice.exe, and DesignAccent.exe on your endpoints.
- Treat any execution of zpaqfranz on standard user workstations as highly suspicious and investigate immediately.
- Monitor for instances of AppShellElevationService registered with non-standard binary paths.
- Watch for kernel driver load events that match the wnBios PDB signature.
- Chinese-speaking users should exercise extreme caution and verify the authenticity of all language packs or configuration files, downloading them exclusively from official application channels.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.