ThreatCluster

Silver Fox APT Campaign Distributes ValleyRAT via Fake Telegram Installer

First seen 9 Apr 2026, 07:30 UTC GbhackersCybersecuritynews 88% similarity 67

Article Content

Browse articles
ThreatCluster

A new malware campaign linked to the Silver Fox APT group has been identified, utilizing a fake Chinese language pack installer for Telegram to deliver ValleyRAT, a sophisticated remote access trojan. The malicious MSI installer, which was uploaded to MalwareBazaar on April 8, 2026, is designed to execute a VBScript as SYSTEM immediately after extraction. This operation signifies an expansion of Silver Fox's ValleyRAT activities, indicating a targeted approach to infiltrate systems under the guise of legitimate software. The attack primarily affects users who download the compromised installer, potentially leading to unauthorized access and control over infected machines. The use of a ZPAQ-based packer adds a layer of obfuscation, complicating detection efforts. Security professionals are advised to remain vigilant against this evolving threat. Current status indicates ongoing analysis and monitoring of the campaign's impact.

Key Points: • Silver Fox APT group is behind the new ValleyRAT distribution campaign. • The malware is disguised as a Chinese language pack installer for Telegram. • The installer executes a VBScript as SYSTEM, posing significant risks to affected systems.

ThreatCluster AI

Timeline

2026-04-08
Malicious Telegram language pack installer uploaded to MalwareBazaar.
2026-04-09
Gbhackers and Cybersecuritynews report on the Silver Fox campaign.

Community

Browse all →