î „Ravie Lakshmananî ‚Jul 10, 2026Malware / Enterprise Security

The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON.

Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure, which compromises multiple distributors.

“These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families,” QiAnXin said.

One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON’s requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare’s Content Delivery Network (CDN).

The distributor is assessed to be a hybrid threat actor, acting as a composite of “cybercriminal arms dealer” and “traffic broker.” One arm of its operations involves expanding its infection footprint across Asia through daily SEO operations for fraud business, while the other focuses on propagating advanced trojans, or renting high-value access to downstream customers, or establishing “criminal-on-criminal” schemes targeting the Cambodian gambling sector.

The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts. The memory-resident malware functions as a remote implant capable of fetching additional modules, running operator commands, and maintaining encrypted communications with attacker infrastructure.

“The Trojan is a professional and private C2 framework: the loader and beacon are separated, the configuration is injectable, the beacon employs a plugin-based architecture (native-v3 plugins with entry/init/fini RVA), and it uses gRPC tunnel streaming for communication,” QiAnXin explained. “The overall engineering quality is high. Its core highlight is the reuse of the transport layer from an open-source anti-censorship proxy framework (Xray/V2Ray) as its C2 channel.”

Like previous campaigns attributed to the Silver Fox intrusion ecosystem, the attack chain uses counterfeit domains advertising bogus installers for popular domestic software as lures to trick unsuspecting users into downloading malicious ZIP archives responsible for deploying the malware.

The core capabilities of MODBEACON include –

  • Fingerprinting the host
  • Loading plugins in memory
  • Sending heartbeat messages
  • Reporting the results of command execution
  • Setting persistence using scheduled tasks

“This capability can be used for subsequent on-demand expansion of information theft, lateral movement, proxy…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 10, 2026