Silver Fox hides ValleyRAT in fake Telegram Chinese language pack installer
6 min. read 
Published on
A new Silver Fox malware campaign is using a fake Telegram Chinese language pack installer to deliver ValleyRAT on Windows systems. Public reporting says the lure arrives as a malicious MSI package that looks harmless, but it can unpack multiple stages, set up persistence, and contact attacker-controlled infrastructure once the victim runs it.
The campaign matters because Silver Fox already has a track record of using fake software sites, language-specific lures, and driver abuse to infect users across Asia. Separate reporting from 2025 and early 2026 shows the group repeatedly used fake installers and social engineering to spread ValleyRAT and related tooling.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
What is new here is the Telegram-themed lure and the unusually layered MSI delivery chain described in current reporting. The sample article attributes the analysis to Breakglass Intelligence, but I could not find a public Breakglass report at the time of writing, so the details below rely on public reporting that cites that research plus older, independently documented Silver Fox behavior.
How the malware is delivered
According to current reporting, the malicious file masquerades as a Telegram Chinese language pack installer and arrives as an MSI package. The reports say the installer uses WiX and is configured to stay hidden from the normal Add or Remove Programs view, which helps the infection avoid attention after execution.
The same reporting says the installer triggers a script-based custom action, unpacks archived content, and then reveals the final payload after decryption. One notable detail is the use of a renamed copy of the legitimate zpaqfranz archiver, which the attackers allegedly use as a living-off-the-land style unpacking tool inside the infection chain.
That workflow fits Silver Fox’s broader playbook. Earlier research from The Hacker News, Malwarebytes, and ReliaQuest shows the group often wraps ValleyRAT inside fake software downloads, then layers in evasion, persistence, and defense-disabling behavior before the remote access trojan fully activates.
What ValleyRAT gives attackers
ValleyRAT, also called Winos 4.0 in some reporting, is a remote access trojan associated with Silver Fox activity. It can give attackers long-term access to a victim machine, support surveillance and data theft, and open the door to later actions such as credential abuse or follow-on malware deployment.
Public reporting on this new campaign says the malware chain also drops an additional binary for persistence and may include screenshot or covert communication features. It further claims the attackers use a BYOVD technique involving a kernel-level component to weaken security protections and hide activity. I have not independently verified those exact artifacts from a primary vendor report, so those details should be treated as currently reported, not directly confirmed by a public technical advisory from the named researchers.
Even with that caveat, the larger risk is clear. Silver Fox has repeatedly shown a willingness to pair ValleyRAT with signed or vulnerable drivers, fake software brands, and security-evasion features that make infections harder to catch and harder to remove.
Reported infection chain at a glance
| Stage | Reported behavior |
|---|---|
| Initial lure | Fake Telegram Chinese language pack delivered as MSI |
| Installer behavior | WiX-built MSI triggers script-based custom action |
| Unpacking | Uses renamed zpaqfranz utility and nested archives |
| Payload delivery | Decrypts and launches ValleyRAT components |
| Evasion | Adapts execution path based on security software present |
| Persistence and concealment | Reported scheduled task and possible kernel-level stealth component |
This table reflects the currently published reporting on the April 2026 campaign. Some deeper technical details still trace back to secondary reporting rather than a public primary report from the cited researchers.
Why this campaign may work
The lure is effective because language packs and software configuration files often look routine to users. A Telegram-related package aimed at Chinese-speaking users can appear low-risk, especially if it copies the look and naming style of legitimate software updates or localization tools. That social-engineering angle also matches Silver Fox’s earlier use of fake Teams, tax, security, and productivity lures.
The delivery method also helps the attackers blend in. MSI installers, script-based custom actions, and legitimate unpacking tools can all reduce suspicion during the early stages of execution, especially on systems that allow users to install software freely.
The broader trend is also worrying. Malwarebytes reported in February 2026 that a public leak of the ValleyRAT builder lowered the barrier to entry and likely helped the malware spread beyond one tightly controlled operator set. That does not prove every current ValleyRAT incident belongs to the same team, but it does raise the chance of copycat use and faster campaign expansion.
What defenders should look for
Security teams should investigate unexpected MSI-based software installs, especially those that launch script interpreters or unpack archives right after installation. The reports on this campaign also make zpaqfranz execution a useful hunting lead on ordinary workstations, where that tool would usually have no normal business purpose.
Teams should also review scheduled task creation, outbound traffic to suspicious IP infrastructure, DLL side-loading opportunities, and signs of driver abuse or kernel-level tampering. Those checks line up with both the new reporting and Silver Fox’s previously documented use of vulnerable or signed drivers to bypass protections.
For end users, the safest move is simple. Do not install Telegram language packs, patches, or add-ons from random sites, forums, or file-sharing pages. Use the software vendor’s official channel only, and treat localization packages from third-party sources as risky by default.
Quick facts
- The lure reportedly impersonates a Telegram Chinese language pack installer.
- The payload is ValleyRAT, a Windows remote access trojan linked to Silver Fox activity.
- The campaign reportedly uses a multi-stage MSI infection chain with unpacking and decryption steps.
- Silver Fox has a documented history of using fake software sites and driver abuse in earlier campaigns.
FAQ
ValleyRAT is a Windows remote access trojan linked to Silver Fox operations. It can provide persistent remote access and support data theft, surveillance, and further compromise activity.
Public reporting says yes, but the technical details currently available in open search mostly come through secondary reporting that cites researcher analysis. I did not find a public primary write-up from Breakglass Intelligence while preparing this article.
Silver Fox is a Chinese-nexus threat cluster also known in public reporting as Void Arachne, SwimSnake, and UTG-Q-1000. Researchers have linked it to repeated malware campaigns that use fake software, phishing, and driver abuse to infect victims in Asia.
Download Telegram and any related language or setup files only from official sources, avoid third-party software portals, and treat unexpected MSI installers as suspicious. Organizations should also monitor software installation events and block risky unsigned or unapproved installers where possible.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages