Redazione RHC : 1 August 2025 07:59
According to the Knownsec 404 Advanced Threat Intelligence Team, a surge in attack activity has recently been observed involving the Silver Fox Trojan, which mimics popular tools such as Google Translate. These attacks, dating back to 2024, involve a user clicking anywhere on the page displaying a message about an outdated version of Flash, followed by a redirect to a download page crafted by the attackers.
If the user downloads and executes the file, the system is compromised through the execution of subsequent payloads.
In recent years, several hacker groups have distributed the Silver Fox Trojan using various techniques: from forgery from download pages for common tools, to SEO optimization, to the creation of copies of national institutions’ websites. These strategies have contributed to increasingly compromising the Chinese internet download environment.
The Silver Fox group has been active since at least 2022, spreading Trojans through channels such as email, phishing sites, and instant messaging software. Following the release of the source code for remote control Trojans such as Winos 4.0, this gang transformed from a single organization into a full-fledged malware family, repurposed by other criminal groups and even APT organizations.
A technical analysis identified several phishing websites used to distribute Silver Fox, including fake copies of Google Translate, a currency converter, and even the official WPS download site. On these sites, the attackers inserted redirect scripts directly into the source code, leading victims to malicious pages.
Among the malicious installation packages discovered are MSI and EXE files that drop the Winos Trojan. In the case of MSI files, execution loads the aicustact.dll file to launch additional components, while update.bat launches both the legitimate program and the malicious payload. Javaw.exe then writes Microsoftdata.exe to the registry to ensure its persistence. The latter, written in Golang, reads and executes an Xps.dtd file, which contains shellcode intended to load a PE module called RexRat4.0.3, whose core component remains winos.
The winos Trojan, which belongs to the Silver Fox family, has numerous functions: it can capture screenshots, record keystrokes, on the keyboard and extract data from the clipboard. In addition to these, additional counterfeit programs used to spread the malware have been discovered, such as fake packages for Easy Translation, Youdao Translate, Bit browser, and LetsVPN.
In recent years, Silver Fox has evolved into a modular, tool-based malware, also used and modified by APT groups such as Golden Eye Dog. Attackers are primarily focusing on improving anti-detection techniques, such as code obfuscation or signature forgery, to make distribution more effective. This increases the risks for users who download software from unofficial sources, tricking them with pop-ups or clone sites.
Experts have reported that Silver Fox poses a serious threat to cybersecurity in China. To protect yourself, it’s recommended to remain vigilant about links, attachments, and packages from unknown sources, download software only from official sites or trusted app stores, and constantly update your operating systems and antivirus software. Only in this way can you significantly reduce the risk of infection.
Redazione