A Chinese government-backed hacking group is using fake medical software to compromise hospital patients' computers, infecting them with backdoors, keyloggers, and cryptominers.
According to Forescout’s Vedere Labs, these cybercriminals are impersonating legitimate programs like the Philips DICOM medical image viewer to carry out their attacks.
Vedere Labs researchers identified dozens of malware samples collected between July 2024 and January 2025. These malicious programs, disguised as software like MediaViewerLauncher.exe (Philips DICOM viewer) and emedhtml.exe (EmEditor), use PowerShell commands to evade detection.
Instead of running the expected applications, these files deploy ValleyRAT, a remote access tool used by the Chinese state-sponsored hacking group Silver Fox—also known as Void Arachne and The Great Thief of Valley. While this group usually targets Chinese-speaking victims, researchers note a shift in strategy.
“The new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors,” said Vedere Labs researchers Amine Amri, Sai Molige, and Daniel dos Santos.
Silver Fox is now deploying keyloggers to steal credentials and cryptominers to hijack system resources for financial gain. While the exact distribution method remains unclear, past campaigns have used SEO poisoning and phishing to trick victims into downloading malware.
Once executed, the malware abuses native Windows utilities like ping.exe, find.exe, cmd.exe, and ipconfig.exe to connect with its command-and-control (C2) server hosted on Alibaba Cloud. It then executes PowerShell commands to disable Windows Defender, ensuring its malicious code remains undetected.
The malware retrieves encrypted payloads from an Alibaba Cloud bucket, including:
- TrueSightKiller – Scans for and disables antivirus and endpoint detection tools
- A Cyren AV DLL – Contains code to evade debugging
After bypassing security defenses, the malware downloads ValleyRAT, which then fetches additional payloads, including the keylogger and cryptominer.
While this campaign primarily targets patients' devices, it poses a significant risk to healthcare organizations. Researchers warn that infected devices brought into hospitals could spread malware across networks.
“In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.”
Although the C2 server was offline at the time of analysis, the Alibaba Cloud storage buckets remained accessible. Healthcare organizations should remain vigilant against this growing cyber threat.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
