Silver Fox Campaign Hides ValleyRAT in Fake Telegram

A newly identified malware campaign, attributed to the Silver Fox APT group, exploits a deceptive Telegram Chinese language pack installer to covertly deliver ValleyRAT, a potent remote access trojan, onto targeted systems.

The malicious file, disguised as a routine MSI installer, first appeared on MalwareBazaar on April 8, 2026, reported by security researcher CNGaoLing.

Silver Fox, also tracked as SwimSnake, UTG-Q-1000, and Void Arachne, is a Chinese-nexus cybercrime group with a long history of impersonating widely used Chinese-language software to lure victims.

Past campaigns have used fake installers for Teams, Zoom, Signal, and even Taiwan tax tools.

This newest operation follows the same approach, hiding malware inside what appears to be a Telegram language configuration file — a type of package that many Chinese-speaking users would treat as harmless and install without hesitation.

Breakglass Intelligence analysts identified this campaign and noted that it deploys a six-stage infection chain built specifically to evade popular Chinese antivirus products, including Qihoo 360, Tencent PC Manager, and Huorong.

The tooling, infrastructure, and operator behavior all match the Silver Fox threat cluster with high confidence.

The malicious file — a.msi, internally labeled IssueAccentRequest, and built on March 24, 2026 — uses the WiX Toolset framework and is engineered to stay hidden from the Windows Add/Remove Programs list.

Once execution is complete, the ValleyRAT payload begins communicating with command-and-control server 118.107.43.65 on port 5040, hosted by CTG Server Ltd in Hong Kong — a bulletproof hosting provider that has appeared in multiple prior Silver Fox operations.

The full scope of damage is significant. A secondary binary, DesignAccent.exe, deploys as a scheduled task and is believed to carry screenshot or steganographic communication capabilities.

The wnBios kernel rootkit, loaded via a Bring Your Own Vulnerable Driver technique, gives the attacker direct read and write access to physical memory, enabling them to disable kernel-level security tools and conceal the malware’s presence from the operating system.

The Six-Stage Infection Chain

The most technically complex part of this campaign is its six-step infection process, which moves from an innocent-looking MSI file to full system compromise.

When a victim runs a.msi, a VBScript custom action triggers immediately after file extraction, executing with full SYSTEM privileges.

The script deploys a legitimate, signed copy of the zpaqfranz v60–v63.2 archival tool — renamed to KhDzetMjQMsAGYw.exe — as a Living-off-the-Land Binary to decompress two nested ZPAQ archives.

The outer archive has no password; the inner archive is protected by the password 1427aafwqYOGGlOahjE. A final XOR decryption step using key 0x38, applied every 56th byte, reveals the final payload.

Security teams should flag any zpaqfranz execution outside of dedicated developer or backup environments as a high-priority event.

After unpacking, the chain adapts to whichever antivirus product it detects on the system. If Qihoo 360 or Tencent PC Manager is found running via a WMI query, the installer switches to DLL sideloading through SodaMusicLauncher.exe — a legitimate, signed binary from ByteDance.

Malicious copies of powrprof.dll and wsc.dll are placed alongside it, injecting code within a trusted signed process that Chinese-market security products almost always permit. If no major antivirus is found, the payload executes directly from the C drive.

Security teams should block 118.107.43.65 and the broader CTG Server netblock 118.107.40.0/21 at the network perimeter.

Alert on MSI installations where VBScript custom actions of type 7238 launch PowerShell, and hunt for process names GjdLUhqZIJJB.exe, SingMusice.exe, and DesignAccent.exe.

Treat zpaqfranz execution on standard workstations as suspicious. Monitor for AppShellElevationService registered with non-standard binary paths and watch for kernel driver load events matching the wnBios PDB signature.

Chinese-speaking users should exercise caution when downloading language packs or configuration files from any source outside official app channels.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.