New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic
New MODBEACON RAT from China-linked Silver Fox uses gRPC for encrypted C2.
Summary
A new Rust-based RAT named MODBEACON, attributed to the China-linked Silver Fox cybercrime group, has been identified. This malware utilizes gRPC streaming for encrypted command-and-control (C2) traffic, leveraging components from an open-source anti-censorship proxy framework. The group employs SEO poisoning and counterfeit installers to distribute the malware, targeting various enterprises across Asia.
Full text
New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic Ravie LakshmananJul 10, 2026Malware / Enterprise Security The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON. Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure, which compromises multiple distributors. "These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families," QiAnXin said. One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON's requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare's Content Delivery Network (CDN). The distributor is assessed to be a hybrid threat actor, acting as a composite of "cybercriminal arms dealer" and "traffic broker." One arm of its operations involves expanding its infection footprint across Asia through daily SEO operations for fraud business, while the other focuses on propagating advanced trojans, or renting high-value access to downstream customers, or establishing "criminal-on-criminal" schemes targeting the Cambodian gambling sector. The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts. The memory-resident malware functions as a remote implant capable of fetching additional modules, running operator commands, and maintaining encrypted communications with attacker infrastructure. "The Trojan is a professional and private C2 framework: the loader and beacon are separated, the configuration is injectable, the beacon employs a plugin-based architecture (native-v3 plugins with entry/init/fini RVA), and it uses gRPC tunnel streaming for communication," QiAnXin explained. "The overall engineering quality is high. Its core highlight is the reuse of the transport layer from an open-source anti-censorship proxy framework (Xray/V2Ray) as its C2 channel." Like previous campaigns attributed to the Silver Fox intrusion ecosystem, the attack chain uses counterfeit domains advertising bogus installers for popular domestic software as lures to trick unsuspecting users into downloading malicious ZIP archives responsible for deploying the malware. The core capabilities of MODBEACON include - Fingerprinting the host Loading plugins in memory Sending heartbeat messages Reporting the results of command execution Setting persistence using scheduled tasks "This capability can be used for subsequent on-demand expansion of information theft, lateral movement, proxy forwarding, or other payloads," QiAnXin said. The disclosure comes amid a gradual broadening of Silver Fox's arsenal, which has deployed malware families tracked as Atlas RAT, ABCDoor, RomulusLoader, and SilentRunLoader, indicating that the threat actor is actively refining its tradecraft. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Cloud security, Cybercrime, enterprise security, Malware, Remote Access Trojan, SEO poisoning, Social Engineering, Supply Chain Security, Windows Security ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- malware — MODBEACON
- malware — Gh0st RAT
- malware — WinOS (ValleyRAT)
- malware — Atlas RAT
- malware — ABCDoor
- malware — RomulusLoader
- malware — SilentRunLoader