Cyber threat actors are no longer just targeting hospitals with ransomware, they’re now infiltrating the very software that patients use to manage their care, installing backdoors that put sensitive medical information at risk.
In a new report, researchers at Forescout’s Vedere Labs have found that Silver Fox, a recently identified Chinese-backed hacking group, was exploiting patient medical imaging software to deploy a backdoor, a keylogger and a crypto miner on victim computers.
The targeted software is Philips Digital Imaging and Communications in Medicine (DICOM), medical imaging software applications designed to display and analyze medical images, such as X-rays, CT scans, MRI scans and ultrasounds.
Once installed, the malware drops ValleyRAT, a backdoor that gives attackers full control of victim computers, potentially opening doors into sensitive hospital networks.
Silver Fox’s Multi-Stage Malware Campaign Targets Healthcare Networks
In the new campaign Forescout observed, Silver Fox’s initial infection vector is unclear but the actor has a history of using SEO poisoning and phishing to deliver malware.
The researchers identified a cluster of 29 malware samples between July 2024 and January 2025. These malware samples masqueraded as Philips DICOM viewers but deployed the ValleyRAT backdoor.
The first-stage malware, MediaViewerLauncher.exe, serves as a preparatory stage, performing beaconing and reconnaissance to check for connectivity to the C2 server.
The malware then employs security evasion techniques, including using PowerShell commands to exclude certain paths from Windows Defender scanning.
The first-stage malware downloads encrypted payloads from an Alibaba Cloud bucket, which are then decrypted and used to generate a malicious executable. This executable is registered as a Windows scheduled task, ensuring persistence on the infected system.
The use of cloud storage buckets to deliver encrypted payloads, suggests that the actor is leveraging cloud services to support their operations.
The fact that the C2 server was offline at the time of analysis, but the cloud storage buckets remained accessible, may indicate that the actor is using a modular and flexible infrastructure to support their campaigns.
The second-stage malware loads a DLL containing injected code designed to evade debugging.
It then enumerates system processes to identify security software and terminates them using TrueSightKiller, an open source tool designed to terminate and disable antivirus and endpoint detection and response (EDR) solutions.
With security defenses disabled, the malware downloads and decrypts additional payloads, including the ValleyRAT backdoor and loader module.
ValleyRAT communicates with the C2 server, hosted in Alibaba Cloud, to retrieve additional encrypted payloads, which are then decrypted and used to deploy a keylogger and crypto miner.
The malware incorporates various techniques to resist detection and analysis, including obfuscation methods, such as API hashing and indirect API retrieval.
It also employs evasion techniques, including long sleep intervals, system fingerprinting, and masked DLL loading.
The malware adds random bytes to dropped and loaded files, making detection and file hash-based hunting more challenging. The use of RPC-based task scheduling and driver loading allows the malware to bypass standard process monitoring.
History of ValleyRAT and Silver Fox
ValleyRAT, also known as Winos 4.0, is a remote access trojan (RAT) that was initially documented in early 2023.
Multiple cybersecurity firms have analysed that the cybercriminal group is a China-based threat actor.
In early analysis of Winos 4.0, Trend Micro observed a group it tracked as Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software installer files alongside malicious ValleyRAT/Winos 4.0 payloads.
In June 2024, the group was observed deploying a modified version of ValleyRAT incorporating DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control (C2).
In July 2024, a new analysis by Chinese firm Knownsec’s 404 Advanced Threat Intelligence Team suggested that Silver Fox may be an advanced persistent threat (APT) group masquerading as cybercriminals, as its targeting shifted to governmental institutions and cybersecurity companies.
Other observed targets included e-commerce, finance, sales and management enterprises.
In November 2024, the group reportedly shifted its ValleyRAT distribution methods, leveraging gaming applications as a new delivery mechanism.
In the new campaign observed by Forescout’s Vedere Labs, the new malware cluster included filenames mimicking healthcare applications, English-language executables and file submissions from the US and Canada.
This suggests that the group may be expanding its targeting to new regions and sectors, the Forescout researchers said.
The group’s use of a crypto miner indicates the introduction of new techniques, tactics and procedures (TTPs) into their campaigns, Forescout added.
Forescout’s Mitigation Recommendations
The Forescout researchers noted that Silver Fox’s TTPs demonstrate a high level of sophistication and adaptability.
The multi-staged malware campaign, combined with the use of encryption, obfuscation and evasion techniques, makes it challenging for defenders to detect and respond to the threat.
To minimize risk and prevent unauthorized access, the researchers recommended healthcare delivery organizations (HDOs) implement the following risk mitigation measures:
- Avoid downloading software or files from untrusted sources
- Prohibit loading of files from patient devices onto healthcare workstations or other network-connected equipment
- Implement strong network segmentation to isolate untrusted devices and networks (e.g. guest Wi-Fi) from internal hospital infrastructure
- Ensure all endpoints are protected with up-to-date antivirus or EDR solutions
- Continuously monitor all network traffic and endpoint telemetry for suspicious activity
- Proactively hunt for malicious activity that aligns with known threat actor behavior, ensuring early detection and response
The images illustrating this article were generated using Shutterstock AI Image Generator.
