News

Silver Fox Group Deploys New MODBEACON RAT Using gRPC Streaming

The China-linked Silver Fox group has introduced MODBEACON, a new Rust-based remote access trojan using gRPC streaming for encrypted communications.

The Silver Fox cybercrime group has been linked to a new malware campaign using MODBEACON, a sophisticated RAT leveraging gRPC streaming. This campaign targets Asian organizations, highlighting the group's evolving tactics and infrastructure.

Silver Fox Group Deploys New MODBEACON RAT Using gRPC Streaming

The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAT) called MODBEACON. According to Chinese cybersecurity firm QiAnXin, the group's operations involve a complex organizational structure with multiple distributors propagating malware through counterfeit installers and SEO poisoning techniques.

Key Features of MODBEACON

MODBEACON is a modular RAT designed to target technology, education, and state-owned enterprises in Asia. Its command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare's Content Delivery Network (CDN). The malware is described as a professional and private C2 framework with the following capabilities:

  • Memory-resident operation: Functions as a remote implant capable of fetching additional modules and executing operator commands.
  • Encrypted communications: Uses gRPC tunnel streaming for secure communication.
  • Plugin-based architecture: Supports loading plugins in memory and setting persistence using scheduled tasks.
  • Host fingerprinting and heartbeat messages: Allows for detailed monitoring and control of infected systems.

The malware's core highlight is its reuse of the transport layer from the open-source anti-censorship proxy framework Xray/V2Ray for its C2 channel.

Campaign Details

The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection. The attack chain involves counterfeit domains advertising bogus installers for popular domestic software, tricking users into downloading malicious ZIP archives that deploy MODBEACON.

QiAnXin notes that the distributor behind this campaign operates as a hybrid threat actor, acting both as a "cybercriminal arms dealer" and a "traffic broker." Its activities include expanding its infection footprint across Asia through daily SEO operations for fraudulent business and propagating advanced trojans.

Broader Implications

The discovery of MODBEACON highlights the ongoing evolution of Silver Fox's arsenal. The group has previously deployed malware families such as Atlas RAT, ABCDoor, RomulusLoader, and SilentRunLoader, indicating a continuous refinement of its tradecraft. This latest campaign underscores the group's ability to adapt and innovate, posing a significant threat to organizations in the region.