An investigation has uncovered a new campaign involving a sophisticated and rapidly evolving malware distributed by a Chinese actor. This campaign exploits trojanized DICOM viewers as bait to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a cryptocurrency miner to exploit system resources for profit.
A cyber threat intelligence report prepared by Google Threat Intelligence Group says that in recent years cyber crime has evolved to become a security threat to Western states.
China's state cyber espionage is both a means of stealing science and technology from foreign states and an intelligence-gathering method for potential attacks against military, government, and commercial technical systems of target countries.
A Chinese government-backed group is spoofing legitimate medical software to hijack hospital patients' computers, infecting them with backdoors, credential-swiping keyloggers, and cryptominers.
Forescout's Vedere Labs researchers on Monday sounded the alarm after identifying dozens of malware samples masquerading as Philips DICOM medical image viewers and other legitimate software
Healthcare was the most targeted critical infrastructure sector in both 2023 and 2024. While many of those attacks involved ransomware, impacting data availability and potentially disrupting patient care, other threats to healthcare organizations directly exploit medical applications.
During a search for new malicious software, Forescout See Labs identified a group of 29 malware samples masquerading as DICOM viewers from Philips. These samples implemented ValleyRAT, a remote access tool (RAT) backdoor used by Chinese actor Silver Fox to gain control of victims' computers. In addition to the backdoor, victims were also infected with a keylogger and a crypto miner, behavior not previously associated with this threat actor.
The samples, all collected between July 2024 and January 2025, used PowerShell commands to evade detection and shared certain file system artifacts. The most recent were disguised as MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer, and emedhtml.exe for EmEditor, while other samples purported to be system drivers and utilities, such as x64DrvFx.exe.
However, instead of running the expected medical imaging application on the victim's machine, these samples deploy ValleyRAT, a backdoor remote access tool (RAT) used by Beijing-backed crew Silver Fox.
This PRC-backed group, also known as Void Arachne and The Great Thief of Valley, typically targets Chinese-speaking victims. However, "the new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors," Vedere Labs researchers Amine Amri, Sai Molige, and Daniel dos Santos said.
Over the past year the group has demonstrated evolving tactics, techniques, and procedures (TTPs) shifting its focus to a broader range of targets:
June 2024: Silver Fox was first identified targeting Chinese victims with malware that downloaded the trojan Winos 4.0, also known as ValleyRAT. This campaign leveraged SEO poisoning, social media and messaging platforms to distribute malware disguised as AI applications or VPN software.
June 2024: Later that month, the group was observed deploying a modified version of ValleyRAT incorporating DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control (C2).
July 2024: A new analysis suggested that Silver Fox may be an APT masquerading as cybercriminals, as its targeting shifted to governmental institutions and cybersecurity companies.
August 2024: A further campaign targeted e-commerce, finance, sales, and management enterprises.
September 2024: The group was observed using a TrueSight driver to disable antivirus software.
November 2024: Silver Fox shifted its Winos/ValleyRAT distribution methods, leveraging gaming applications as a new delivery mechanism.
January 2025: The PNGPlug loader was first identified as part of the group’s TTPs.
February 2025: A new campaign was identified targeting finance, accounting and sales professionals, aiming to steal sensitive data.
While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant. In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.
To minimize risk and prevent unauthorized access, HDOs should implement the following risk mitigation measures, according to Forescout researchers:
Avoid downloading software or files from untrusted sources.
Prohibit loading of files from patient devices onto healthcare workstations or other network-connected equipment.
Implement strong network segmentation to isolate untrusted devices and networks (e.g. guest Wi-Fi) from internal hospital infrastructure.
Ensure all endpoints are protected with up-to-date antivirus or EDR solutions.
Continuously monitor all network traffic and endpoint telemetry for suspicious activity.
Proactively hunt for malicious activity that aligns with known threat actor behavior, ensuring early detection and response.
Cybercrime is a threat to the security of states
A cyber threat intelligence report prepared by Google Threat Intelligence Group (GTIG), made public on Feb. 12, says that in recent years cyber crime has evolved to become a security threat to Western states.
Policymakers should take cybercrime as seriously as nation-state-led operations, specifies the paper titled Cyber crime: A multifaceted national security threat.
Since 2022, Google Threat Intelligence Group (GTIG) has observed a significant increase in the number of victims of “data leak” sites (DLS) in the hospital sector. DLS, which are used to release victims' information following data theft extortion incidents, are mainly aimed at pushing victims to pay a ransom demand.
According to Google, the consequences of such attacks can be very serious, up to and including lethal for hospitalized patients. Studies by academics and internal hospital reviews, in fact, have shown that disruptions due to ransomware attacks go beyond inconvenience and have led to potentially lethal consequences for patients. Disruptions can impact not only individual hospitals but also the broader healthcare supply chain, while cyberattacks targeting companies that produce essential drugs and life-saving therapies can have far-reaching consequences worldwide.
GTIG was peremptory: "ransomware operators are aware that their attacks on hospitals will have serious consequences and will likely increase government attention to them. Although some have developed strategies to mitigate the backlash from these operations, the potential monetary rewards associated with targeting hospitals continue to drive attacks on the healthcare sector."
Comments