Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

July 16, 2026

SANS Warns of AI Governance Gap as Use by Security Teams Surges

July 16, 2026
Facebook X (Twitter) Instagram
Thursday, July 16
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic
News

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

Team-CWDBy Team-CWDJuly 16, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON.

Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure, which compromises multiple distributors.

“These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families,” QiAnXin said.

One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON’s requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare’s Content Delivery Network (CDN).

The distributor is assessed to be a hybrid threat actor, acting as a composite of “cybercriminal arms dealer” and “traffic broker.” One arm of its operations involves expanding its infection footprint across Asia through daily SEO operations for fraud business, while the other focuses on propagating advanced trojans, or renting high-value access to downstream customers, or establishing “criminal-on-criminal” schemes targeting the Cambodian gambling sector.

The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts. The memory-resident malware functions as a remote implant capable of fetching additional modules, running operator commands, and maintaining encrypted communications with attacker infrastructure.

“The Trojan is a professional and private C2 framework: the loader and beacon are separated, the configuration is injectable, the beacon employs a plugin-based architecture (native-v3 plugins with entry/init/fini RVA), and it uses gRPC tunnel streaming for communication,” QiAnXin explained. “The overall engineering quality is high. Its core highlight is the reuse of the transport layer from an open-source anti-censorship proxy framework (Xray/V2Ray) as its C2 channel.”

Like previous campaigns attributed to the Silver Fox intrusion ecosystem, the attack chain uses counterfeit domains advertising bogus installers for popular domestic software as lures to trick unsuspecting users into downloading malicious ZIP archives responsible for deploying the malware.

The core capabilities of MODBEACON include –

  • Fingerprinting the host
  • Loading plugins in memory
  • Sending heartbeat messages
  • Reporting the results of command execution
  • Setting persistence using scheduled tasks

“This capability can be used for subsequent on-demand expansion of information theft, lateral movement, proxy forwarding, or other payloads,” QiAnXin said.

The disclosure comes amid a gradual broadening of Silver Fox’s arsenal, which has deployed malware families tracked as Atlas RAT, ABCDoor, RomulusLoader, and SilentRunLoader, indicating that the threat actor is actively refining its tradecraft.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleSANS Warns of AI Governance Gap as Use by Security Teams Surges
Next Article Modular macOS Stealer Uses Kill Loops to Force Password Entry
Team-CWD
  • Website

Related Posts

News

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026
News

SANS Warns of AI Governance Gap as Use by Security Teams Surges

July 16, 2026
News

Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs

July 16, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Here’s how to avoid a ‘second strike’

April 11, 2026

A stealthy RAT burrowing deep into Android devices

May 26, 2026

How to help older family members avoid scams

October 31, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.