A new malware campaign has been observed that is combining multi-layered obfuscation, endpoint-security tampering, and kernel-level techniques. Researchers at Nextron Systems, who discovered the campaign, have attributed it to Silver Fox, a China-aligned advanced persistent threat group active since at least 2022.
The campaign is delivered through repackaged installers for widely used applications, including Telegram, WinSCP, Google Chrome, and Microsoft Teams. While the installers appear legitimate, the malware installs hidden components, deploys vulnerable drivers, disables defenses, and ultimately launches ValleyRat, a remote-access tool enabling long-term persistence.
Researchers note that the operation is consistent with earlier Silver Fox campaigns that relied on archive-based staging, DLL sideloading, misuse of Chinese security tools, and Bring Your Own Vulnerable Driver (BYOVD) techniques.
The infection chain begins when a user executes a trojanized Telegram installer named tg.exe, which mimics Telegram Desktop 6.0.2 and displays a convincing interface. At the time of analysis, only a small number of antivirus engines initially detected the file as malicious. Distribution vectors have included spear-phishing and malvertising campaigns directing victims to spoofed download links.
Upon execution, tg.exe creates the directory C:\ProgramData\WindowsData\ and drops several files, including funzip.exe (a renamed 7-Zip binary) and main.xml, a password-protected ZIP archive masquerading as a configuration file. Extracted contents include men.exe, the campaign’s main component, and a genuine Telegram installer, both of which are launched.
Once active, men.exe conducts process reconnaissance, identifying security tools such as Microsoft Defender and Chinese security products. It then stages further components in a public-profile directory, manipulates file permissions to hinder remediation, and creates a scheduled task that runs an encoded VBE script.
The script loads a vulnerable driver and triggers a signed binary used to sideload the ValleyRat payload, securing persistent remote access. Notably, the campaign also leverages PowerShell to configure a broad Microsoft Defender exclusion covering the entire C:\ drive.
