{"id":11983,"date":"2026-04-09T10:04:00","date_gmt":"2026-04-09T10:04:00","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/09\/new-silver-fox-campaign-hides-valleyrat-inside-fake-telegram-chinese-language-pack-installer\/"},"modified":"2026-04-09T10:04:00","modified_gmt":"2026-04-09T10:04:00","slug":"new-silver-fox-campaign-hides-valleyrat-inside-fake-telegram-chinese-language-pack-installer","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/09\/new-silver-fox-campaign-hides-valleyrat-inside-fake-telegram-chinese-language-pack-installer\/","title":{"rendered":"New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer"},"content":{"rendered":"<p>    New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A new malware campaign linked to the Silver Fox APT group has been discovered, using a fake Telegram Chinese language pack installer to secretly deliver ValleyRAT \u2014 a powerful remote access trojan \u2014 onto targeted machines. <\/p>\n<p>The malicious file, disguised as a routine MSI installer, first appeared on MalwareBazaar on April 8, 2026, reported by security researcher CNGaoLing.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Silver Fox, also tracked as SwimSnake, UTG-Q-1000, and Void Arachne, is a Chinese-nexus cybercrime group with a long history of impersonating widely used Chinese-language software to lure victims. <\/p>\n<p>Past campaigns have used fake installers for Teams, Zoom, Signal, and even Taiwan tax tools. <\/p>\n<p>This newest operation follows the same approach, hiding malware inside what appears to be a Telegram language configuration file \u2014 a type of package that many Chinese-speaking users would treat as harmless and install without hesitation.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/intel.breakglass.tech\/post\/silverfox-valleyrat-telegram-chinese-langpack-zpaq-bytedance-ctg\" id=\"https:\/\/intel.breakglass.tech\/post\/silverfox-valleyrat-telegram-chinese-langpack-zpaq-bytedance-ctg\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Breakglass Intelligence analysts identified this campaign<\/a> and noted that it deploys a six-stage infection chain built specifically to evade popular Chinese antivirus products, including Qihoo 360, Tencent PC Manager, and Huorong. <\/p>\n<p>The tooling, infrastructure, and operator behavior all match the Silver Fox threat cluster with high confidence.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The malicious file \u2014 a.msi, internally labeled IssueAccentRequest, and built on March 24, 2026 \u2014 uses the WiX Toolset framework and is engineered to stay hidden from the Windows Add\/Remove Programs list. <\/p>\n<p>Once execution is complete, the <a href=\"https:\/\/cybersecuritynews.com\/valleyrat-attacking-orgs-accounting-department\/\" id=\"91173\" target=\"_blank\" rel=\"noreferrer noopener\">ValleyRAT payload<\/a> begins communicating with command-and-control server 118.107.43.65 on port 5040, hosted by CTG Server Ltd in Hong Kong \u2014 a bulletproof hosting provider that has appeared in multiple prior Silver Fox operations.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The full scope of damage is significant. A secondary binary, DesignAccent.exe, deploys as a scheduled task and is believed to carry screenshot or steganographic communication capabilities. <\/p>\n<p>The wnBios <a href=\"https:\/\/cybersecuritynews.com\/singularity-linux-kernel-rootkit\/\" id=\"136800\" target=\"_blank\" rel=\"noreferrer noopener\">kernel rootkit<\/a>, loaded via a Bring Your Own Vulnerable Driver technique, gives the attacker direct read and write access to physical memory, enabling them to disable kernel-level security tools and conceal the malware\u2019s presence from the operating system.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"the-six-stage-infection-chain\"><strong>The Six-Stage Infection Chain<\/strong><\/h2>\n<p>The most technically complex part of this campaign is its six-step infection process, which moves from an innocent-looking MSI file to full system compromise.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>When a victim runs a.msi, a VBScript custom action triggers immediately after file extraction, executing with full SYSTEM privileges. <\/p>\n<p>The script deploys a legitimate, signed copy of the zpaqfranz v60\u2013v63.2 archival tool \u2014 renamed to KhDzetMjQMsAGYw.exe \u2014 as a Living-off-the-Land Binary to decompress two nested ZPAQ archives. <\/p>\n<p>The outer archive has no password; the inner archive is protected by the password 1427aafwqYOGGlOahjE. A final XOR decryption step using key 0x38, applied every 56th byte, reveals the final payload. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams<\/a> should flag any zpaqfranz execution outside of dedicated developer or backup environments as a high-priority event.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>After unpacking, the chain adapts to whichever antivirus product it detects on the system. If Qihoo 360 or Tencent PC Manager is found running via a WMI query, the installer switches to DLL sideloading through SodaMusicLauncher.exe \u2014 a legitimate, signed binary from ByteDance. <\/p>\n<p>Malicious copies of powrprof.dll and wsc.dll are placed alongside it, injecting code within a trusted signed process that Chinese-market security products almost always permit. If no major antivirus is found, the payload executes directly from the C drive.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/fc61b87a-703a-416a-b429-cc36036a4bfc\/New-Silver-Fox-Campaign-Hides-ValleyRAT-Inside-Fake-Telegram-Chinese-Language-Pack-Installer.pdf?AWSAccessKeyId=ASIA2F3EMEYE6EVA3354&amp;Signature=ksUDCaH%2BIjEoeP%2Biqacw7RYLhLg%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEcaCXVzLWVhc3QtMSJIMEYCIQC2g4YiMegYrJo2lIjnMGMR%2BWVEju%2FBGEfmwUzgJ8WjjwIhAKZLqfVbYMj5KajrUJ3LZzQEvSF3P0kVCWO0BaPSoIxXKvMECA8QARoMNjk5NzUzMzA5NzA1Igy4fuc%2BvRPfg856N%2B0q0ASsg4VHTDGGQPxsPIjje7Rb%2FQswtuTjiIPE5f6TS7kkL%2FrybB3e8NBtIcbvBEQkEDBSI375zFIyAFoxLIDDS4eiFY0wicdBbtcNMZTpL5QOXCb62niV9Y5QPNLFRqy2Y6K6Ktd6Sg1n5F5wwPB0SSRghhuI85rGZJvyolV9n9d6sVQZU%2BhwINvnP7htpp6QU309XiASJCm6OT09eMql0%2Fbrf9C8IxhqXOAUR8FJk55GBhSGoFX24HtFZm2mj2O5nqWOq5SQaLFt5BBgEeiDM9yx2whwuOb9sSRIDceuSeGu%2BYvq1v5VDTIdko91NbL0MVmWb5aI7NBcexQUJ%2FZyr0tDptf6gzrsRlP%2Fb6rC5fpC5YKxJOOPbOpdvOx3c%2Bzv4FppRwCtcR3AlOnKX4ZXC0LDJQ27KPqY5k%2FTuMGbQEczmAFZMYUW2VNUryrCrOZXqVJcuP%2FI6AFB4cOayJ59quJ%2FkFJcrb7umtIIlx5IrRTtFY7gRT%2BE9xPIwaYXbnI16w7TJHbpTQZ8ZjfxbnHlMYMYXhXowUMSl9rSTz6YHof1I899DfIE0dN4Yz7RC5G%2FST16xfXbJ8fWsZU0xvHhq2GhzV%2F6tC79ukYug9zZLrIAfI3%2FUg6SM0sphMwCG7WFddeZ0Wcmoj%2FVapwttZW7on5jOFbMQrSAIt27Ee22YjuzwljnqZI3fvWYp9lymKCjj%2BNzx3VD5CQ%2FtVQ9hXA%2B8XefGIaW5sVJsd%2B25GXEr%2BBaEjMKRfpDHhEyEFIzVxBLQXJWuofvZVJKyqXzh50VGeQlMNyE3c4GOpcBj0Q%2F%2FkIsMMFOpOCDjLjs%2B413lyA1E9BFpLoEFk%2BMBJBoAWBcNDds7aDt%2BG2tQLMT7MZyipZewsL2uveRl1nqwytVSpMjnH4Rdl2Xona3CsNNrf4hfNQTFTWsSj4whqPjufTYrF%2FqPSQ8%2BBeZpwMjNls%2FArBrVyxO1nLV4MLRhYE3g347dUxPcZXlO7oYp1z2b2ISA7%2F9FQ%3D%3D&amp;Expires=1775715951\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Security teams should block 118.107.43.65 and the broader CTG Server netblock 118.107.40.0\/21 at the network perimeter. <\/p>\n<p>Alert on MSI installations where VBScript custom actions of type 7238 launch PowerShell, and hunt for process names GjdLUhqZIJJB.exe, SingMusice.exe, and DesignAccent.exe. <\/p>\n<p>Treat zpaqfranz execution on standard workstations as suspicious. Monitor for AppShellElevationService registered with non-standard binary paths and watch for kernel driver load events matching the wnBios PDB signature. <\/p>\n<p>Chinese-speaking users should exercise caution when downloading language packs or configuration files from any source outside official app channels.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/new-silver-fox-campaign-hides-valleyrat-inside-fake-telegram\/\">New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/new-silver-fox-campaign-hides-valleyrat-inside-fake-telegram\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer A new malware campaign linked to the Silver Fox APT group has been discovered, using a fake Telegram Chinese language pack installer to secretly deliver ValleyRAT \u2014 a powerful remote access trojan \u2014 onto targeted machines. The malicious file, disguised as a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-11983","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11983"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11983"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11983\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}