Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers

Part 1: Silver Fox APT Abuses Philips DICOM Viewer to Deliver RAT for Backdoor Access

Summary

• Healthcare remains a top target for ransomware. However, threats to the sector extend beyond ransomware.
• We identified a campaign by the China-based APT Silver Fox, which exploited Philips DICOM viewers to deploy a backdoor, keylogger, and a crypto miner on victim computers.

Mitigation Recommendations for Healthcare Delivery Organizations (HDOs)

• Avoid downloading software or files from untrusted sources, including patient devices.
• Implement network segmentation to isolate untrusted devices/networks from internal systems.
• Run up-to-date antivirus or endpoint detection and response (EDR) solutions.
• Continuously monitor all network traffic and endpoint telemetry to detect the IoCs listed below.

UPDATE: Forescout Research – Vedere Labs has no evidence that Philips or Philips medical devices were hacked to distribute malicious versions of their DICOM Viewer. The threat actor involved in this campaign is known for using techniques, such as phishing and watering holes to distribute malware. Past campaigns targeting DICOM viewers (not from Philips) used the same techniques.

---

Healthcare was the most targeted critical infrastructure sector in both 2023 and 2024. While many of those attacks involved ransomware, impacting data availability and potentially disrupting patient care, other threats to healthcare organizations directly exploit medical applications.

During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used by the Chinese threat actor Silver Fox to gain control of victim computers. In addition to the backdoor, victims were also infected with a keylogger and a crypto miner, a behavior not previously associated with this threat actor.

Below, we provide a detailed analysis of this new Silver Fox campaign and outline mitigation strategies to reduce risk.

Identified Malware Cluster

The malware cluster we uncovered contained trojanized versions of MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer. All identified samples were submitted to VirusTotal from the United States or Canada between December 2024 and January 2025.

Pivoting off the initial 29 samples, we identified numerous additional instances masquerading as other types of software. These samples (collected between July 2024 and January 2025) exhibit common traits, such as PowerShell defense evasion techniques, distinctive process execution patterns, and shared file system artifacts.

Notably, the samples demonstrate evolutionary behavior, suggesting ongoing malware development:

• July 2024: 12 samples exhibited basic defense evasion, employing a single PowerShell exclusion command, simple process chains, and minimal use of system utilities.
• August 2024: 13 samples introduced multiple PowerShell exclusion commands, more complex process chains, and expanded use of system utilities.
• October 2024 – December 2024: 3 samples indicated further advancements incorporating additional exclusion paths and new file system actions.
• January 2025: 2 samples demonstrated multiple layers of PowerShell commands, reflecting advanced evasion techniques.

The latest malware samples masquerade as legitimate software, including MediaViewerLauncher.exe for the DICOM Viewer and emedhtml.exe for EmEditor. Additionally, some samples were disguised as system drivers and utilities, such as x64DrvFx.exe.

Silver Fox ATP History

Silver Fox, also known as Void Arachne and The Great Thief of Valley, is an APT that has historically targeted Chinese-speaking victims and has been highly active since 2024. Over the past year the group has demonstrated evolving tactics, techniques, and procedures (TTPs) shifting its focus to a broader range of targets:

• June 2024: Silver Fox was first identified targeting Chinese victims with malware that downloaded the trojan Winos 4.0, also known as ValleyRAT. This campaign leveraged SEO poisoning, social media and messaging platforms to distribute malware disguised as AI applications or VPN software.
• June 2024: Later that month, the group was observed deploying a modified version of ValleyRAT incorporating DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control (C2).
• July 2024: A new analysis suggested that Silver Fox may be an APT masquerading as cybercriminals, as its targeting shifted to governmental institutions and cybersecurity companies.
• August 2024: A further campaign targeted e-commerce, finance, sales, and management enterprises.
• September 2024: The group was observed using a TrueSight driver to disable antivirus software.
• November 2024: Silver Fox shifted its Winos/ValleyRAT distribution methods, leveraging gaming applications as a new delivery mechanism.
• January 2025: The PNGPlug loader was first identified as part of the group’s TTPs.
• February 2025: A new campaign was identified targeting finance, accounting and sales professionals, aiming to steal sensitive data.

The new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors. Additionally, the group’s use of a crypto miner, detailed below, indicates the introduction of new TTPs into their campaigns.

Overview of Malware Behavior: From DICOM Viewer to ValleyRAT

The samples in this cluster, including MediaViewerLauncher.exe, function as first-stage payloads that may be delivered through multiple vectors. While we cannot confirm the exact distribution method, Silver Fox has a history of using SEO poisoning and phishing to propagate its malware.

The figure below illustrates the malware’s execution flow, from the initial infection stage to the deployment of its final payloads. A detailed breakdown of its behavior follows in the next section.

The first-stage malware performs two key preparatory functions before executing additional payloads:

• Beaconing and Reconnaissance: It runs native Windows utilities such as ping.exe, find.exe, cmd.exe and ipconfig.exe to check if the system can reach the C2 server.
• Security Evasion via PowerShell Exclusions:
  • August 2024: Introduced PowerShell commands to exclude certain paths from Windows Defender scanning, preparing the system for further malware stages.

Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users\Public' -Force

• • December 2024 – January 2025: Expanded exclusions to additional system directories, increasing stealth:

Add-MpPreference -ExclusionPath 'C:\','C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force

After executing these preparatory steps, the first stage contacts an Alibaba Cloud bucket to download several encrypted payloads disguised as image files. These payloads, detailed at the end of this report, include:

• TrueSightKiller
• A Cyren AV DLL and executable
• Other auxiliary files and shellcode

Once downloaded, the malware decrypts the payloads and generates a malicious executable (second-stage malware) which is registered as a Windows scheduled task. This task executes immediately and is configured to run at every user login, ensuring persistence on the infected system.

The second-stage malware loads the Cyren AV DLL containing injected code designed to evade debugging. It then enumerates system processes to identify various security software (detailed at the end of this report) and terminates them using TrueSightKiller.

Once security defenses are disabled, the second stage downloads an encrypted file, decrypting it into the third-stage payload, the ValleyRAT backdoor and loader module, which communicates with a C2 server hosted in Alibaba Cloud. ValleyRAT then retrieves additional encrypted payloads which, once decrypted, function as a keylogger and a crypto miner. All three final payloads (backdoor, keylogger and crypto miner) achieve persistence on the victim through scheduled tasks.

At the time of this analysis, the Alibaba Cloud storage buckets remained accessible, but the C2 server was already offline.

Each stage of the malware incorporates encryption, obfuscation and evasion techniques to resist detection and analysis. These include:

• Obfuscation Methods:
  • API hashing to conceal function calls.
  • Indirect API retrieval to avoid static analysis.
  • Indirect control flow manipulation to hinder debugging and reverse engineering.
• Evasion Techniques:
  • Long sleep intervals to delay execution and evade sandbox detection.
  • System fingerprinting to tailor execution based on the target environment.
  • Masked DLL loading to avoid security monitoring.
  • RPC-based task scheduling and driver loading to bypass standard process monitoring.

Additionally, the malware also adds random bytes to both dropped and loaded files, making detection and file hash-based hunting significantly more challenging.

Detailed Malware Analysis

The following analysis was conducted on an individual malware sample, so the filenames and hashes presented here are specific to that sample. While other samples in the cluster use different filenames, their overall behavior remains consistent.

The first-stage malware downloads an initial encrypted file named i.dat from an Alibaba Cloud bucket at vien3h[.]oss-cn-beijing[.]aliyuncs[.]com. The i.dat file contains URLs for six additional files hosted in the same cloud bucket, which for the analyzed sample were named a.gif, b.gif, c.gif, d.gif, s.dat and s.jpeg. These files are downloaded, decrypted and saved on the filesystem with new filenames. In the analyzed sample, the decrypted filenames were install.exe, vselog.dll, WordPadFilter.db, MsMpList.dat and 189atohci.sys. The s.jpeg  file was not decrypted into a separate file, but was directly processed as shellcode in memory.

The shellcode begins by scanning process memory for kernel32.dll:GetProcAddress (hash: 0x1ab9b854). It then uses GetProcAddress to retrieve the addresses of the following critical functions: LoadLibraryA, VirtualAlloc, VirtualFree and lstrcmpiA. Next the malware loads ntdll and retrieves from it the address of RtlZeroMemory and RtlMoveMemory. These functions are subsequently used for memory manipulation and payload unpacking. The shellcode then calls VirtualAlloc to allocate memory and unpacks a malicious DLL that will later be used for RPC-based task scheduling of malicious binaries.

The shellcode then loads RPCRT4.dll and retrieves references for RPC-related functions RpcBindingFromStringBindingW, RpcStringFreeW, RpcBindingComposeW, NdrClientCall3 and RpcBindingSetAuthInfoExA. Additionally, it loads KERNEL32.dll and retrieves references for HeapAlloc and HeapFree. The malware leverages a function from the persistence DLL that utilizes the named pipe \\pipe\atsvc to create a string binding in the form ncacn_np:[\\\pipe\\\\atsvc]. It then creates an RPC binding and executes NdrClinetCall3 with the following XML task description:

 

This schedules a Windows task to execute TO7RUF.exe, which corresponds to the Cyren AV executable (vseamps.exe or install.exe.) This task is configured to run immediately upon scheduling and then every time the current user logs in, ensuring persistence. After scheduling the task, the first-stage malware cleans all dynamically allocated memory and exits, effectively transitioning execution to the second stage.

The second-stage malware begins by loading vselog.dll and jumping to its DLLMain function to check for the presence of a debugger and evade analysis. It also checks for the presence of MsMpList.dat, a key indicator used for further execution logic.

Analyzing the second-stage payload requires setting a breakpoint on RtlUserThreadStart and monitoring the RCX parameter passed to that function. Once executed, the malware loads and decrypts WordPadFilter.db and MsMpList.dat, writes both files into its own process memory using WriteProcessMemory and calls DisableThreadLibraryCalls to prevent the debugger from intercepting DLL loading.

Execution then transitions to the decrypted shellcode from WordPadFilter.db and MsMpList.dat shellcode, which scans for installed security software. If security software is detected, the malware uses RPC calls to load the TrueSightKiller driver from 189atohci.sys, executes DeviceIoControl to request IOCTL number 0x22e044 with parameter MsMpEng and NisSrv.exe effectively terminating Windows Defender and disabling Windows native network monitoring, allowing the malware to operate undetected.

After disabling security defenses, the malware reconnects to the same Alibaba Cloud bucket and downloads four additional encrypted payloads named FOM-50.jpg, FOM-51.jpg, FOM-52.jpg and FOM-53.jpg. These files are decrypted into OKSave.exe (produced in memory from a benign uninstall.exe component of Internet Explorer), tbcore3U.dll, log.src and utils.vcxproj. The execution flow proceeds as follows; OKSave.exe loads tbcore3U.dll, which in turn unpacks and executes malware from log.src and utils.vcxproj, deploying both a crypto miner and a keylogger, which stores logs in C:\xxxx.in.

At this stage, three persistent malicious executables reside on the system: the ValleyRAT backdoor, the keylogger and the crypto miner. These malware components are scheduled to run either at system boot or upon scheduled task creation. The malware communicates with its C2 server hosted on Alibaba Cloud at 8.217.60[.]40:8917.

Conclusion and Mitigation Recommendations

Our investigation uncovered a new campaign involving sophisticated and rapidly evolving malware deployed by a Chinese threat actor. This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain.

While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant. In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.

To minimize risk and prevent unauthorized access, HDOs should implement the following risk mitigation measures:

• Avoid downloading software or files from untrusted sources.
• Prohibit loading of files from patient devices onto healthcare workstations or other network-connected equipment.
• Implement strong network segmentation to isolate untrusted devices and networks (e.g. guest Wi-Fi) from internal hospital infrastructure.
• Ensure all endpoints are protected with up-to-date antivirus or EDR solutions.
• Continuously monitor all network traffic and endpoint telemetry for suspicious activity.
• Proactively hunt for malicious activity that aligns with known threat actor behavior, ensuring early detection and response.

IoCs and Further Details

The indicators of compromise (IoCs) associated with this campaign are available on the Forescout Vedere Labs threat feed.

List of security software explicitly checked for by the second-stage executable:

["HipsMain.exe", "HipsTray.exe", "HipsDaemon.exe", "360Safe.exe", "360tray.exe", "360sd.exe", "MsMpEng.exe", "NisSrv.exe", "ZhuDongFangYu.exe", "SecurityHealthSystray.exe", "kscan.exe", "kwsprotect64.exe", "kxescore.exe", "kxetray.exe", "kxemain.exe", "ksetupwiz.exe", "QMDL.exe", "QMPersonalCenter.exe", "QQPCPatch.exe", "QQPCRealTimeSpeedup.exe", "QQPCRTP.exe", "QQPCTray.exe", "QQRepair.exe", "QQPCMgrUpdate.exe", "KSafeTray.exe", "mpcopyaccelerator.exe", "UnThreat.exe", "K7TSecurity.exe", "ad-watch.exe", "PSafeSysTray.exe", "vsserv.exe", "remupd.exe", "rtvscan.exe", "ashDisp.exe", "avcenter.exe", "TMBMSRV.exe", "knsdtray.exe", "avp.exe", "avpui.exe", "avgwdsvc.exe", "AYAgent.aye", "V3Svc.exe", "mssecess.exe", "QUHLPSVC.EXE", "RavMonD.exe", "KvMonXP.exe", "baiduSafeTray.exe", "BaiduSd.exe", "LAVService.exe", "LenovoTray.exe", "LenovoPcManagerService.exe", "LISFService.exe", "LnvSvcFdn.exe", "wsctrl10.exe", "wsctrl11.exe", "wsctrlsvc.exe", "wsctrl.exe", "Bka.exe", "BkavService.exe", "BkavSystemServer.exe", "BkavSystemService.exe", "BkavSystemService64.exe", "BkavUtil.exe", "BLuPro.exe", "BluProService.exe", "cefutil.exe", "PopWndLog.exe", "PromoUtil.exe", "QHActiveDefense.exe", "QHSafeMain.exe", "QHSafeScanner.exe", "QHSafeTray.exe", "QHWatchdog.exe"]

The table below summarizes the files downloaded by the first and second-stage malware, both before and after decryption. At the time of analysis, none of these files were detected as malicious by antivirus solutions prior to decryption. However, as of this writing, three files (vselog.dll, 189atohci.sys and FOM-51.jpg) have been flagged as malicious after decryption. It is important to note that not every file listed should be considered malicious, only those explicitly identified in the IoC table above.

Share This: Share on LinkedinShare on TwitterShare on Facebook