A Chinese government-backed group is spoofing legitimate medical software to hijack hospital patients’ computers, infecting them with backdoors, credential-swiping keyloggers, and cryptominers.
Forescout’s Vedere Labs researchers on Monday sounded the alarm after identifying dozens of malware samples masquerading as Philips DICOM medical image viewers and other legitimate software.
The samples, all collected between July 2024 and January 2025, used PowerShell commands to evade detection and shared certain file system artifacts. The most recent were disguised as MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer, and emedhtml.exe for EmEditor, while other samples purported to be system drivers and utilities, such as x64DrvFx.exe.
However, instead of running the expected medical imaging application on the victim’s machine, these samples deploy ValleyRAT, a backdoor remote access tool (RAT) used by Beijing-backed crew Silver Fox.
This PRC-backed group, also known as Void Arachne and The Great Thief of Valley, typically targets Chinese-speaking victims. However, “the new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors,” Vedere Labs researchers Amine Amri, Sai Molige, and Daniel dos Santos said.
Additionally, the keylogger and cryptocurrency miner are new techniques for Silver Fox, the researchers noted.
The threat hunters say they can’t confirm the exact distribution method used to deploy the first-stage malware, but note that Silver Fox has been known to use SEO poisoning and phishing campaigns in the past.
Once the miscreants convince their victim to download and run what they believe is medical software, the malware runs native Windows utilities such as ping.exe, find.exe, cmd.exe, and ipconfig.exe to establish communications with the command-and-control (C2) server hosted in Alibaba Cloud. It then runs PowerShell commands to exclude certain paths from Windows Defender scans, allowing the code to remain undetected on the infected machine.
Next, the malware contacts an Alibaba Cloud bucket to download encrypted payloads disguised as image files. These include TrueSightKiller, which scans for antivirus and endpoint detection tools running on the compromised machine before terminating the software, and a Cyren AV DLL, which contains code to evade debugging.
After disabling the victim’s security products, the malware downloads the ValleyRAT backdoor that retrieves additional encrypted payloads from the C2 server, including the keylogger and miner.
“At the time of this analysis, the Alibaba Cloud storage buckets remained accessible, but the C2 server was already offline,” according to the researchers.
While this particular campaign targets patients rather than hospitals directly, the risk to healthcare orgs “remains significant,” they wrote. “In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.” ®