Cyber threat actors are no longer just targeting hospitals with ransomware, they're now infiltrating the very software that patients use to manage their care, installing backdoors that put sensitive medical information at risk.
In a new report, researchers at Forescout’s Vedere Labs have found that Silver Fox, a recently identified Chinese-backed hacking group, was exploiting patient medical imaging software to deploy a backdoor, a keylogger and a crypto miner on victim computers.
The targeted software is Philips Digital Imaging and Communications in Medicine (DICOM), medical imaging software applications designed to display and analyze medical images, such as X-rays, CT scans, MRI scans and ultrasounds.
Once installed, the malware drops ValleyRAT, a backdoor that gives attackers full control of victim computers, potentially opening doors into sensitive hospital networks.
Silver Fox’s Multi-Stage Malware Campaign Targets Healthcare Networks
In the new campaign Forescout observed, Silver Fox’s initial infection vector is unclear but the actor has a history of using SEO poisoning and phishing to deliver malware.
The researchers identified a cluster of 29 malware samples between July 2024 and January 2025. These malware samples masqueraded as Philips DICOM viewers but deployed the ValleyRAT backdoor.
The first-stage malware, MediaViewerLauncher.exe, serves as a preparatory stage, performing beaconing and reconnaissance to check for connectivity to the C2 server.
The malware then employs security evasion techniques, including using PowerShell commands to exclude certain paths from Windows Defender scanning.
The first-stage malware downloads encrypted payloads from an Alibaba Cloud bucket, which are then decrypted and used to generate a malicious executable. This executable is registered as a Windows scheduled task, ensuring persistence on the infected system.
The use of cloud storage buckets to deliver encrypted payloads, suggests that the actor is leveraging cloud services to support their operations.
The fact that the C2 server was offline at the time of analysis, but the cloud storage buckets remained accessible, may indicate that the actor is using a modular and flexible infrastructure to support their campaigns.
The second-stage malware loads a DLL containing injected code designed to evade debugging.
It then enumerates system processes to identify security software and terminates them using TrueSightKiller, an open source tool designed to terminate and disable antivirus and endpoint detection and response (EDR) solutions.
With security defenses disabled, the malware downloads and decrypts additional payloads, including the ValleyRAT backdoor and loader module.
ValleyRAT communicates with the C2 server, hosted in Alibaba Cloud, to retrieve additional encrypted payloads, which are then decrypted and used to deploy a keylogger and crypto miner.
No tags.
