Silver Fox APT Campaign Distributes ValleyRAT via Fake Telegram Installer

Severity: High (Score: 66.5)

Sources: Gbhackers, Cybersecuritynews

Summary

A new malware campaign linked to the Silver Fox APT group has been identified, utilizing a fake Chinese language pack installer for Telegram to deliver ValleyRAT, a sophisticated remote access trojan. The malicious MSI installer, which was uploaded to MalwareBazaar on April 8, 2026, is designed to execute a VBScript as SYSTEM immediately after extraction. This operation signifies an expansion of Silver Fox's ValleyRAT activities, indicating a targeted approach to infiltrate systems under the guise of legitimate software. The attack primarily affects users who download the compromised installer, potentially leading to unauthorized access and control over infected machines. The use of a ZPAQ-based packer adds a layer of obfuscation, complicating detection efforts. Security professionals are advised to remain vigilant against this evolving threat. Current status indicates ongoing analysis and monitoring of the campaign's impact. Key Points: • Silver Fox APT group is behind the new ValleyRAT distribution campaign. • The malware is disguised as a Chinese language pack installer for Telegram. • The installer executes a VBScript as SYSTEM, posing significant risks to affected systems.

Key Entities

• Silver Fox (apt_group)
• Malware (attack_type)
• Trojan (attack_type)
• Silver Fox Campaign (campaign)
• ValleyRat (malware)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• VBScript (tool)