Chinese-Backed Silver Fox Plants Backdoors in Healthcare Networks
Summary:
A new report from Forescout’s Vedere Labs reveals a significant shift in cyber threats against the healthcare sector, with attackers moving beyond hospital networks to infiltrate patient-facing medical software. Silver Fox, a Chinese-backed hacking group, has been exploiting vulnerabilities in Philips Digital Imaging and Communications in Medicine software commonly used for medical imaging such as X-rays, CT scans, and MRIs—to install a backdoor, a keylogger, and a crypto miner, putting sensitive patient data and hospital networks at risk. Between July 2024 and January 2025, researchers identified 29 malware samples disguised as Philips DICOM viewers, all deploying the ValleyRAT backdoor. While the initial infection method remains unclear, Silver Fox has historically relied on SEO poisoning and phishing to deliver malware.
The first-stage malware, is responsible for reconnaissance and security evasion, performing beaconing to communicate with a command-and-control (C2) server. It then downloads encrypted payloads from an Alibaba Cloud bucket, decrypts them, and executes a malicious file, which is registered as a Windows scheduled task to ensure persistence. The second-stage malware executes a DLL containing injected code to evade debugging. It enumerates system processes to detect and disable antivirus and endpoint detection response solutions using TrueSightKiller, an open-source security bypass tool. With security defenses disabled, the malware proceeds to download ValleyRAT, which communicates with an Alibaba Cloud-hosted C2 server to fetch additional payloads, including a keylogger and a crypto miner.
Security Officer Comments:
Silver Fox employs multiple techniques to evade detection, including API obfuscation and indirect API retrieval to hide its malicious operations, long sleep intervals and system fingerprinting to delay execution and analyze the environment, and masked DLL loading to avoid traditional security monitoring. It also adds random bytes to dropped and loaded files to make hash-based detection more difficult and uses RPC-based task scheduling and driver loading to bypass standard security processes. Additionally, the use of Alibaba Cloud storage for encrypted payload delivery indicates that Silver Fox is leveraging cloud services to maintain a modular and flexible infrastructure. Notably, even though the C2 server was offline during analysis, the cloud storage buckets remained accessible, suggesting an adaptive and resilient attack strategy.
The latest campaign observed by Forescout suggests another expansion, with filenames mimicking healthcare applications and file submissions traced back to the U.S. and Canada. Researchers believe Silver Fox may now be expanding into new geographic regions and industries, integrating crypto mining as part of its evolving attack methods. Silver Fox’s campaign highlights the growing risk of supply chain and software-targeted attacks in the healthcare sector.
Suggested Corrections:
To minimize risk and prevent unauthorized access, the researchers recommended healthcare delivery organizations (HDOs) implement the following risk mitigation measures:
https://www.infosecurity-magazine.com/news/chinese-silver-fox-backdoors/
A new report from Forescout’s Vedere Labs reveals a significant shift in cyber threats against the healthcare sector, with attackers moving beyond hospital networks to infiltrate patient-facing medical software. Silver Fox, a Chinese-backed hacking group, has been exploiting vulnerabilities in Philips Digital Imaging and Communications in Medicine software commonly used for medical imaging such as X-rays, CT scans, and MRIs—to install a backdoor, a keylogger, and a crypto miner, putting sensitive patient data and hospital networks at risk. Between July 2024 and January 2025, researchers identified 29 malware samples disguised as Philips DICOM viewers, all deploying the ValleyRAT backdoor. While the initial infection method remains unclear, Silver Fox has historically relied on SEO poisoning and phishing to deliver malware.
The first-stage malware, is responsible for reconnaissance and security evasion, performing beaconing to communicate with a command-and-control (C2) server. It then downloads encrypted payloads from an Alibaba Cloud bucket, decrypts them, and executes a malicious file, which is registered as a Windows scheduled task to ensure persistence. The second-stage malware executes a DLL containing injected code to evade debugging. It enumerates system processes to detect and disable antivirus and endpoint detection response solutions using TrueSightKiller, an open-source security bypass tool. With security defenses disabled, the malware proceeds to download ValleyRAT, which communicates with an Alibaba Cloud-hosted C2 server to fetch additional payloads, including a keylogger and a crypto miner.
Security Officer Comments:
Silver Fox employs multiple techniques to evade detection, including API obfuscation and indirect API retrieval to hide its malicious operations, long sleep intervals and system fingerprinting to delay execution and analyze the environment, and masked DLL loading to avoid traditional security monitoring. It also adds random bytes to dropped and loaded files to make hash-based detection more difficult and uses RPC-based task scheduling and driver loading to bypass standard security processes. Additionally, the use of Alibaba Cloud storage for encrypted payload delivery indicates that Silver Fox is leveraging cloud services to maintain a modular and flexible infrastructure. Notably, even though the C2 server was offline during analysis, the cloud storage buckets remained accessible, suggesting an adaptive and resilient attack strategy.
The latest campaign observed by Forescout suggests another expansion, with filenames mimicking healthcare applications and file submissions traced back to the U.S. and Canada. Researchers believe Silver Fox may now be expanding into new geographic regions and industries, integrating crypto mining as part of its evolving attack methods. Silver Fox’s campaign highlights the growing risk of supply chain and software-targeted attacks in the healthcare sector.
Suggested Corrections:
To minimize risk and prevent unauthorized access, the researchers recommended healthcare delivery organizations (HDOs) implement the following risk mitigation measures:
- Avoid downloading software or files from untrusted sources
- Prohibit loading of files from patient devices onto healthcare workstations or other network-connected equipment
- Implement strong network segmentation to isolate untrusted devices and networks (e.g. guest Wi-Fi) from internal hospital infrastructure
- Ensure all endpoints are protected with up-to-date antivirus or EDR solutions
- Continuously monitor all network traffic and endpoint telemetry for suspicious activity
- Proactively hunt for malicious activity that aligns with known threat actor behavior, ensuring early detection and response
https://www.infosecurity-magazine.com/news/chinese-silver-fox-backdoors/