National Cyber Warfare Foundation (NCWF)

APT-Q-27
0 user ratings		2025-06-16 20:14:12
blscott

 - archive -- 

  • Aliases: Silver Fox, Void Arachne, The Great Thief of Valley




  • Origin: A Chinese-based APT active since at least 2024




  • Primary Targets: Initially focused on Chinese‑speaking regions; has since broadened to Taiwan, North America, and beyond, targeting sectors like healthcare, government, finance, e‑commerce, cybersecurity firms, and gaming





🎯 Proven Attack Vectors & Malware


1. Trojanized Medical Imaging Software




  • Campaigns spoof Philips DICOM Viewer and other medical apps, embedding ValleyRAT backdoor, keylogger, and crypto miner




  • Delivered via SEO poisoning and phishing, with over 29 samples identified between Dec 2024–Jan 2025




2. Winos 4.0 / ValleyRAT




  • Multi-stage RAT families evolving from open-source Gh0stRAT, offering remote control, keystroke logging, screenshot capture, and data exfiltration




  • Spread via phishing campaigns, e.g. emails pretending to be Taiwan’s National Taxation Bureau distributing “lastbld2Base.dll” loader




3. PNGPlug Loader & MSI Packages




  • Utilizes MSI installers embedding benign apps with encrypted payloads disguised as PNG/GIF files (PNGPlug technique)




4. BYOVD (Bring‑Your‑Own‑Vulnerable‑Driver)




  • Exploits vulnerable signed drivers (e.g. Truesight.sys) to bypass security controls and deploy Gh0stRAT





🔍 Tactics, Techniques & Procedures (TTPs)


TechniqueDescription
SEO poisoning & phishingMalicious installers appear through fake SEO sites and email lures
MSI-based multi-stage loadersInitial benign payload → decrypts encrypted payloads (shellcode, DLLs) → scheduled tasks for persistence
Vulnerable driver exploitationInstalling drivers to disable AV/EDR protections
In-memory execution & obfuscationAPI hashing, sleep delays, shellcode, random padding to evade detection
Multi-region targetingLanguage checks (Chinese/Vietnamese) to selectively infect victims


🏥 Notable Campaigns




  1. Healthcare sector (Feb–Mar 2025)

    Trojanized DICOM viewers with ValleyRAT, evasion via PowerShell exclusions, and crypto-miners




  2. Taiwan tax-themed phishing (Mar 2025)

    Winos 4.0 loader masquerading as tax bureau document leads to remote backdoor installation




  3. PSD (BYOVD) driver abuse (Feb 2025)

    Truesight.sys driver exploited to disable security, deployed Gh0stRAT across Southeast Asia


Comments
new comment
Nobody has commented yet. Will you be the first?


Primary Names
Void Arachne
  




This link is from a restricted area of the forums.
Forum


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.