The Knownsec 404 Advanced Threat Intelligence Team has uncovered a sophisticated malware campaign where cybercriminals are impersonating popular online tools, particularly Google Translate, to distribute the dangerous Silver Fox Trojan.
This attack method, which can be traced back to 2024, uses deceptive Flash update prompts to trick users into downloading malicious software that compromises their systems entirely.
The Silver Fox cybercrime gang employs a multi-layered deception strategy to ensnare victims. When users visit fake websites mimicking Google Translate or other popular tools like currency converters and WPS office software, the attackers monitor for any user interaction on the page.
Upon detecting a click, the system displays a fraudulent prompt claiming the user’s Flash version is outdated, ultimately redirecting them to a malicious download page.
The attackers have also created counterfeit versions of widely used applications, including Easy Translation, Youdao Translation, Bit Browser, and LetsVPN.
These fake websites are distributed through multiple channels, including email campaigns, phishing sites, and instant messaging platforms, while utilizing SEO optimization techniques to appear prominently in search results.
The malicious installation packages come in two formats: MSI and EXE files, both designed to deploy the Winos Trojan.
Upon execution, the MSI installer releases multiple files and loads aicustact.dll, which serves as a loader for attacker-specified components.
The malware establishes persistence by writing Microsoftdata.exe into the Windows registry’s run key, ensuring the Trojan survives system reboots.
The core payload, written in Golang and disguised with legitimate-sounding names, reads encrypted configuration data from Xps.dtd files.
After decryption, the shellcode loads a PE executable containing the actual Winos malware, identified by PDB strings referencing “RexRat4.0.3.” This Trojan provides comprehensive remote access capabilities, including screenshot capture, keylogging, and clipboard data theft.
Since 2022, Silver Fox has evolved from a single organization into a malware family widely adopted by various cybercrime groups and APT organizations.
The leak of core Trojan source code, particularly Windows 4.0, has enabled widespread proliferation across the Chinese internet ecosystem, with multiple threat actors now utilizing these tools for their campaigns.
Security experts strongly advise users to download software exclusively from official websites, avoid third-party or cracked versions, and maintain updated operating systems and security software.
The modular nature of Silver Fox malware, combined with advanced anti-detection techniques including code obfuscation and signature forgery, makes it particularly dangerous to both individual users and enterprise networks.
Hash:
38bdef0bdf05adeefb1d4ba04296c757eb8cdfb9be958e4c0d544764564df177
b5e0893617a6a1b5e5f3c0c85fa82eaa9c6e66a511ca3974e35d6a466b52642a
cf17ce1d9a3f0151afd129823303aa949f6c7d71692dff5f6c39bcef03c8dadc
cdd221dfe3d856aae18cd5af30fd771df44441c35383278a1559438c3e708cfd
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…