A newly discovered cyberespionage campaign by the Chinese APT group Silver Fox has been found targeting Philips DICOM viewers used in healthcare environments. The attack deploys ValleyRAT, a keylogger, and a crypto miner on infected systems, marking a shift in the group’s tactics. Forescout Research – Vedere Labs identified 29 trojanized versions of Philips’ MediaViewerLauncher.exe, with submissions primarily originating from the U.S. and Canada.
The attackers are using trojanized versions of the Media Viewer Launcher, the primary executable for the Philips DICOM viewer, to deliver the malware. These malicious samples were submitted to VirusTotal from the United States and Canada between December 2024 and January 2025.
“During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used by the Chinese threat actor Silver Fox to gain control of victim computers,” the report states.
Once the malware is executed, it performs reconnaissance, evades security tools, and downloads additional payloads, including a keylogger and a crypto miner. The attackers then use the backdoor to gain remote access to the victim’s system and steal sensitive information.
Forescout Research notes that this campaign represents an evolution in Silver Fox’s tactics, as the group has not previously been associated with the use of keyloggers or crypto miners. The researchers believe that the attackers may be expanding their targets to include new regions and sectors.
Healthcare organizations are advised to take steps to mitigate the risk of this attack, including avoiding downloading software from untrusted sources, implementing network segmentation, and running up-to-date antivirus or endpoint detection and response (EDR) solutions.
