Threat Bulletin

Blackwell Helix Threat Bulletin: Malicious DICOM Installers Exploited by Silver Fox APT

By: Helix Threat Team
February 27, 2025
threatbulletinheader

Key Alert:

A China-based threat group, identified as Silver Fox (also known as Void Arachne or The Great Thief of the Valley), is able to target the healthcare sector by distributing weaponized installers for Digital Imaging and Communications in Medicine (DICOM) viewers. These malicious installers deploy remote access trojans (RATs), creating backdoors that allow attackers to gain control over compromised systems.

Threat Overview:

  • Targeted Component: Installers for DICOM viewers, specifically those mimicking legitimate applications like Philips DICOM viewers.
  • Proof-of-Concept (PoC): Silver Fox has been observed distributing malware-laden installers that appear to be legitimate DICOM viewer applications. Upon installation, these programs deploy ValleyRAT malware, establishing unauthorized access to the system. The group employs tactics such as SEO poisoning, phishing, and social media manipulation to lure victims into downloading these malicious installers.
  • Exploitation in the Wild: Active since at least December 2024, this campaign has involved 29 identified malware samples disguised as Philips DICOM viewers. While initial attacks focused on Chinese entities, Silver Fox has expanded its targets to include global healthcare organizations, aiming to steal sensitive data without engaging in extortion.

Healthcare Impacts:

  • Unauthorized Data Access: Compromised systems may lead to unauthorized exposure of sensitive patient information and electronic health records (EHRs).
  • Operational Disruption: Deployment of remote access trojans can disrupt healthcare operations, potentially compromising critical medical systems and devices.
  • Incident Response Challenges: The stealthy nature of Silver Fox’s tactics complicates detection and remediation efforts, allowing prolonged unauthorized access to healthcare networks.

Exploitation Method:

Attackers distribute malicious installers masquerading as legitimate DICOM viewer applications. Upon installation, these programs deploy ValleyRAT malware, providing attackers with remote access to the system. The group utilizes various distribution methods, including SEO poisoning, phishing campaigns, and social media manipulation, to entice users into downloading the compromised software.

Affected Products and Versions:

  • Installers purporting to be Philips DICOM viewers have been specifically targeted. However, other applications, such as EmEditor and various system drivers, have also been used as disguises for the malware.
  • DICOM viewers are primarily used by patients to access medical imaging, which reduces—but does not eliminate—the risk of infection on hospital-exclusive endpoints. As healthcare delivery organizations (HDOs) expand their integration with remote patient care and hospital-at-home programs, the potential attack surface grows, increasing the risk of malware propagation into clinical networks.

Indicators of Compromise (IoCs):

  • Unusual Network Activity: Unexpected outbound connections to external servers, particularly those associated with known malicious domains. C2 communications are included at the end with the C2 IP address and domain.
  • Unauthorized File Modifications: Alterations to system files or the presence of unknown executables in directories associated with DICOM viewers.
  • System Logs: Entries indicating the execution of unauthorized code or scripts, especially following the installation of DICOM viewer software.
First Stage Malware IoCs
6986a9a81b945e9ccfc434287bd9efd1daacc616a3104d05fd810b33d4d5d3f2MediaViewerLauncher.exe
2074ec1d3f58b19bd398b45af71b9853d6c3a0fa7c7145d76208601cfb05d1d6MediaViewerLauncher.exe
f06bd6e7a237c90800c09a584bd55ea5feaba92c29449c2bdfb8b93d0b830a78MediaViewerLauncher.exe
8d5b4082253df5256772f0578a7f568b123d50e615cd76b9530dd80b29cb326aMediaViewerLauncher.exe
614d64e2128cd8fc169c27fe204b85bca59482d381ae1cbfe705498fe46b0a95MediaViewerLauncher.exe
213ed93b19f0130313933a700cafbaa27bef8e1a60157b225959624a4c875068MediaViewerLauncher.exe
67b1a2e2135e32521f5c73e609ea9b4880af7827e357e92689aa250d3849d7daMediaViewerLauncher.exe
62f43b9c64c262fb907a36f5d8af7d8e9515cabf3c5d2b522fe3e2d995056e90MediaViewerLauncher.exe
9f24f06f4b2341d285a5c3aca32b2992628b43a16ad8db65d73148d190942194MediaViewerLauncher.exe
70a5276147d9f07b886f8537c869d8983b75efaaffe47bdedaf1b5f4fbc8022fMediaViewerLauncher.exe
ce7a94842dab8193e49dc0cde2e7ba1444d447d62db10e46ef170914f657d1f5MediaViewerLauncher.exe
f993e9a76b1a7a23443a6fa481bba54ec2ad97c4c30e2d7f753fc3d107b9653eMediaViewerLauncher.exe
d8f4ce58ecd7a79014f9f97998bc5d9ae4fa4616b6f023d7e42bd94f64776b4eMediaViewerLauncher.exe
32c451737246a8343d7975c5d6372f885e376339683bcfef25107226b10e6290MediaViewerLauncher.exe
6e71e6b3a56db2c349c19cb20e5bc1eb87f98bd61af27887e73935bed3c5e2acMediaViewerLauncher.exe
ff136fe84af8795f61581b70fbe2e9414785efa3c607fda5fcab90d54cd14c58MediaViewerLauncher.exe
fa0834d1bfed5f3126549c5382ab0f4661a9acf10224ed06cdfa69b90d800283MediaViewerLauncher.exe
d92850cc929423eab1da0022a4d8cc8394d44f1b3efd581ff9473cd38e81d4c5MediaViewerLauncher.exe
84f7ca5e09b2b3a4da145b1d43f23e0d3e93c208cd0f22b8b08efe5d4c45f38bMediaViewerLauncher.exe
9fdbb9e0339723c090064c53e2233ff59f6af6a944d5dbfa856f9a7961081da5MediaViewerLauncher.exe
ee4e724f76dbcce7cae2da7ece76312581199d02cfee92ddce9c5229e7f2ee5dMediaViewerLauncher.exe
445072e538481ea4d3b68474fdaf0a66d3c319bf17b5aa67762d2e8bbbc5c14cMediaViewerLauncher.exe
f5ee9514446bde4267ac1abcc6944c4abdbb384f00c4c5b9ca2e5444332b0d97MediaViewerLauncher.exe
df1c6479002495d8d5b9cce0b0c333f4b653c78ac803ec4abd5031f920b3f1faMediaViewerLauncher.exe
d36c6ed9da54a00013cbefe05027126d414061c5fab6751a82e28de4a2d44226MediaViewerLauncher.exe
54ef199324122a373d4d5a1765565fc56a2781e7a6e622bd2a84a3dbac28031cMediaViewerLauncher.exe
8f1b46d88c5aed8c653f64d69b3acf04837e8b0df2a3d282b265cea7da324ca2MediaViewerLauncher.exe
5dff4297730bbc999d7e25f9bf596048bd39e0acf17d842c03e34415e61a1747MediaViewerLauncher.exe
Second Stage Malware IoCs
2d3c7fbb4fba459808f20fdc293cdc09951110302111526bc467f84a6f82f8f6a.gif
5536f773a5f358f174026758ffae165d3a94c9c6a29471385a46c1598cfb2ad4b.gif
7545ac54f4bdfe8a9a271d30a233f8717ca692a6797ca775de1b7d3eaab1e066c.gif
6166ef3871e1952b05bce5a08a1db685e27bd83af83b0f92af20139dc81a4850d.gif
6ebe9d4cffadf2566a960067fc226739dd74f361dca0b0809df66f1c7bb8049ds.dat
5207b0111dc5cc23da549559a8968ee36e39b5d8776e6f5b1e6bdc367937e7dfs.jpeg
25b6f65c07b83293958c6f1e36d053b1d39c5dde864fde5cfc1834ecca591139189atohci.sys
b419964f0f219394bf9c6d5a9aa904796b14fdb2fe62b7079bbd0a48f4e902f1MsMpList.dat
92f765df46c598c0f25ad69e862711565c6c23845ce2e4967ddde39ee1dd6c1dWordPadFilter.db
Final Stage Malware IoCs
a92b2727de7c14b63c50b7062b2fcf61098a5d4d8bf3f749444e72b0cfc45f2bDLL
81ff16aedf9c5225ce8a03c0608cc3ea417795d98345699f2c240a0d67c6c33df.dat
48f258037be0ffe663da3bcd47dba22094cc31940083d9e18a71882bdc1ecdb8FOM-50.jpg
a2065ea035c4e391c0fd897a932dcff34d2ccd34579844c732f3577bc443b196FOM-51.jpg
901330243ef0f7f0aae4f610693da751873e5b632e5f39b98e3db64859d78cbcFOM-52.jpg
f919634ac7e0877663fff06ea9e430b530073d6e79eee543d02331f4dff64375FOM-53.jpg
cbf556ebc3ed7d3d3ddcd399f1a1f4212251b151f52cdafc60c4676dc4df60abtbcore3.dll
4556d5d106adbd9e1c5627940bd2314ca59b2cc8c01359680ca70928b6bafc50log.src
2da901c7e1441286d7e90d6a9f114ebb020e56d6f2200ea68111a691f29ff71bKeylogger
e26d5e23bee9695b05323928f66cec4d969178ebfc00e9930b71c356c5d37167Crypto miner
15e272118e984d2bdeaec7e1f72a6568eb0a82e1d0431c5d824ced33120c706eutils.vcxproj
vien3h.oss-cn-beijing.aliyuncs[.]comStaging Domain
8.217.60[.]40:8917Defunct Alibaba Cloud C2

Tactics, Techniques, and Procedures (TTPs):

TacticsTechniques
Initial AccessT1566.001 (Spear Phishing Attachment)
ExecutionT1203 (Exploitation for Client Execution)
PersistenceT1547.001 (Registry Run Keys / Startup Folder)
Privilege EscalationT1068 (Exploitation for Privilege Escalation)
Defense EvasionT1218.005 (Mshta)
Credential AccessT1555.003 (Credentials from Web Browsers)
Command and ControlT1071.001 (Web Protocols)

Recommendations for Healthcare Organizations:

Immediate Actions:

  • Verify Software Authenticity: Ensure that all DICOM viewer software and other critical applications are downloaded directly from official and reputable sources.
  • Apply Security Patches: Keep all systems and software up to date with the latest security patches to mitigate known vulnerabilities.
  • Monitor Network Activity: Implement continuous monitoring for unusual outbound connections, especially those to unfamiliar external servers.

Long-Term Defense:

  • User Training: Educate staff on the risks of downloading software from unverified sources and recognizing phishing attempts.
  • Advanced Threat Protection: Deploy advanced security solutions capable of detecting and preventing the execution of unauthorized code.
  • Regular Audits: Conduct periodic security assessments of all systems, focusing on the integrity of medical imaging software and associated devices.

Leadership Guidance:

This finding underscores the necessity for robust cybersecurity measures within healthcare environments. Leadership should prioritize the implementation of strict software procurement policies, regular staff training on cybersecurity best practices, and investment in advanced threat detection solutions to protect sensitive patient data and maintain operational continuity.

Blackwell Security MHXDR Customers:

Blackwell Threat Analysts currently assess the Silver Fox APT as a low-risk threat to Blackwell clients, as there have been no confirmed attacks targeting entities within the United States using this specific malware. However, given Silver Fox’s objectives and capabilities, the potential for targeting U.S. entities, particularly within the healthcare sector, remains a concern, as the industry is a lucrative target for financially motivated threat actors. While the immediate risk is considered low, Blackwell’s Managed Healthcare Extended Detection and Response (MHXDR) systems are actively monitoring for indicators associated with this threat. To mitigate potential risks, organizations should ensure all software installations are sourced exclusively from verified, official channels. Blackwell Security’s automated and manual threat analysis tools are fully equipped to detect and respond to suspicious activities related to this campaign, providing an additional layer of protection to safeguard critical healthcare operations.

References:

Tags
Cybersecurity Healthcare Malware MHXDR
About the Author
Blackwell Helix Logo
Helix Threat Team
Blackwell’s Helix Threat Team takes a proactive approach to prioritizing the response to signals derived from various sources, including industry threat intelligence (commercial, government & open-source), in-house indicators of compromise born from intense analysis, and security control gaps. By leveraging a two-part methodology—exposure analysis and threat enrichment—Helix delivers contextual insights and automates the identification of hidden vulnerabilities and emerging threats within healthcare environments. This combination of enriched threat signals and comprehensive analysis enables Helix to identify and address risks before they escalate.
More from this author
Back to Resources
Related Resources
View all
Blog
The Path to an Autonomous SOC: Blackwell’s Healthcare Security Revolution
March 3, 2025
March 3, 2025
Read More
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: Malicious DICOM Installers Exploited by Silver Fox APT
February 27, 2025
February 27, 2025
Read More
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: Outlook Vulnerability Allows Remote Code Execution
February 13, 2025
February 13, 2025
Read More
Blackewll logo
Blackwell is cybersecurity made for healthcare.

Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.

© 2025 Blackwell Security | Privacy Policy | Sitemap