New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

https://thehackernews.com/2026/07/new-modbeacon-rat-uses-grpc-streaming.html

Publish Date: 2026-07-10 09:15:00

Source Domain: thehackernews.com

Ravie LakshmananJul 10, 2026Malware / Enterprise Security

The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON.

Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure, which compromises multiple distributors.

“These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families,” QiAnXin said.

One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON’s requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare’s Content Delivery Network (CDN).

The distributor is assessed to be a hybrid threat actor, acting as a composite of “cybercriminal arms dealer” and “traffic broker.” One arm of its operations involves expanding its infection footprint across Asia through daily SEO operations for fraud business, while the other focuses on propagating advanced trojans, or renting high-value access to downstream customers, or establishing “criminal-on-criminal” schemes targeting the Cambodian gambling sector.

The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts. The memory-resident malware functions as a remote implant capable of fetching additional modules, running operator commands, and maintaining encrypted communications with attacker infrastructure.

“The Trojan is a professional and private C2 framework: the loader and beacon are separated, the…

Source