Silver Fox Campaign Spreads ValleyRAT via Fake Chinese Telegram Language Pack
New analysis of a fake Telegram installer uploaded to MalwareBazaar reveals Silver Fox expanding its ValleyRAT operations via a fresh delivery chain. This chain employs a Chinese-language pack-decoy and an uncommon ZPAQ-based packer to conceal its malicious intent.
The MSI installer, built with WiX (IssueAccentRequest, 4.49 MB), executes a VBScript custom action as SYSTEM immediately after file extraction. It avoids detection by hiding itself from Add/Remove Programs using ARPSYSTEMCOMPONENT=1.
Upon execution, the script extracts three files: a renamed legitimate zpaqfranz decompression utility and two encrypted ZPAQ archives that together contain the full Silver Fox toolset.
PowerShell code merges the archive parts and performs a custom XOR decryption (using key 0x38, with every 56th byte treated specially) before handing off to zpaqfranz for payload unpacking.
Six-Stage Infection Chain
The attackers employ a six-stage chain to transition from a seemingly benign Telegram installer to a fully persistent ValleyRAT infection with kernel privileges.
- Stage 1–3: The MSI’s VBScript and PowerShell logic reconstruct and decrypt the archives, then invoke zpaqfranz to extract an outer ZPAQ and a password-protected inner archive (password: 1+427aafwqYOGGlOahjE).
- Stage 4: The script queries WMI for Chinese consumer AV processes (ZhuDongFangYu.exe for 360 Safe, QQPCRTP.exe for Tencent PC Manager, HipsDaemon.exe for Huorong) and chooses between a DLL sideloading chain or a direct drop into C:\Windows depending on what’s running.
- Stage 5: ValleyRAT launches and contacts its command-and-control server at 118.107.43.65:5040, while a BYOVD rootkit based on the legitimate wnBios driver is loaded to gain raw physical memory access.
- Stage 6: To maintain cover, the installer opens tg://setlanguage?lang=classic-zh-cn, so Telegram really applies the requested language pack, reinforcing the illusion of a normal install.
ZPAQ and ByteDance LOLBins
A notable twist involves using the signed zpaqfranz v60/v63.2 binary as a LOLBin packer instead of more common tooling like 7-Zip or built-in Windows decompressors.
ZPAQ’s low profile in malware detection signatures makes it attractive for evading rules that specifically watch for 7z.exe or WinRAR-based malware extraction.
If 360 or Tencent AV is present, the malware avoids dropping its main payload directly and instead abuses a signed ByteDance elevation service, SodaMusicLauncher.exe, to sideload malicious DLLs (powrprof.dll and wsc.dll).
The binary is signed by Beijing Microlive Vision Technology / Beijing Bytedance Network Technology and runs as AppShellElevationService, granting the attacker code execution in a trusted, allowlisted process unlikely to be blocked on Chinese-market systems.
The ValleyRAT payload is a Nim-compiled 64-bit PE with an encrypted configuration string encoding the campaign tag (mEGLoIEgCfaQ), operator group (“King-New”), kernel driver identifier, persistence directory name, and C2 IP 118.107.43.65.
A second Nim loader, DesignAccent.exe, is installed as a scheduled task and imports HTTP and image-processing modules, suggesting capabilities like screenshot capture or steganographic C2.
For stealth and defense evasion, Silver Fox again turns to a vulnerable driver: wnBios 1.2.0.0, a legitimate Wincor Nixdorf BIOS access driver exposing primitives for arbitrary physical memory reads and writes.
Using this driver, the group can disable kernel security features, interfere with PatchGuard, hide processes, and inject encrypted shellcode from an accompanying eRMqYUTL.sys blob.
The active C2 server, 118.107.43.65, is hosted by CTG Server Ltd in Hong Kong on the 118.107.40.0/21 netblock, a bulletproof hosting range already linked to multiple Silver Fox operations. This includes fake Teams and Telegram installers distributing ValleyRAT and related tooling.
External scanning shows the custom C2 port 5040 and NetBIOS (139/tcp) exposed but little else, indicating tight host filtering against passive reconnaissance.
The combination of ValleyRAT, a BYOVD-based rootkit, DLL sideloading, and CTG Server infrastructure aligns with prior reporting tying this tradecraft to the Chinese-nexus Silver Fox group, also tracked as Void Arachne and similar aliases.
Previous research documented the same actor distributing ValleyRAT via trojanized installers for Telegram, Teams, and other Chinese-popular software, often with AV-aware logic tuned to 360 and Tencent products.
Additional high-signal behaviors include MSI packages using VBScript custom actions (type 7238) to spawn PowerShell, unexpected zpaqfranz.exe executions, creation of the AppShellElevationService pointing to non-standard paths, tg://setlanguage URIs invoked by non-Telegram processes, and any kernel driver load path referencing wnBios 1.2.0.0.
Defenders should block 118.107.43.65 and, where possible, the broader 118.107.40.0/21 CTG Server range. They should also hunt for suspicious process names such as GjdLUhqZIJJB.exe, SingMusice.exe, and DesignAccent.exe.