{"id":288110,"date":"2026-07-10T09:15:00","date_gmt":"2026-07-10T13:15:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/10\/new-modbeacon-rat-uses-grpc-streaming-for-encrypted-c2-traffic\/"},"modified":"2026-07-10T17:40:06","modified_gmt":"2026-07-10T21:40:06","slug":"new-modbeacon-rat-uses-grpc-streaming-for-encrypted-c2-traffic","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/10\/new-modbeacon-rat-uses-grpc-streaming-for-encrypted-c2-traffic\/","title":{"rendered":"New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/new-modbeacon-rat-uses-grpc-streaming.html\">New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/new-modbeacon-rat-uses-grpc-streaming.html\">https:\/\/thehackernews.com\/2026\/07\/new-modbeacon-rat-uses-grpc-streaming.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-10 09:15:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jul 10, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Enterprise Security<\/span><\/p>\n<p>The China-linked cybercrime group known as <strong>Silver Fox<\/strong> has been attributed to a new Rust-based remote access trojan (RAR) called <strong>MODBEACON<\/strong>.<\/p>\n<p>Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure, which compromises multiple distributors.<\/p>\n<p>&#8220;These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families,&#8221; QiAnXin said.<\/p>\n<p>One such campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. MODBEACON&#8217;s requested command-and-control (C2) infrastructure is hosted on Amazon and Cloudflare&#8217;s Content Delivery Network (CDN).<\/p>\n<p>The distributor is assessed to be a hybrid threat actor, acting as a composite of &#8220;cybercriminal arms dealer&#8221; and &#8220;traffic broker.&#8221; One arm of its operations involves expanding its infection footprint across Asia through daily SEO operations for fraud business, while the other focuses on propagating advanced trojans, or renting high-value access to downstream customers, or establishing &#8220;criminal-on-criminal&#8221; schemes targeting the Cambodian gambling sector.<\/p>\n<p>The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts. The memory-resident malware functions as a remote implant capable of fetching additional modules, running operator commands, and maintaining encrypted communications with attacker infrastructure.<\/p>\n<p><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"785\" data-original-width=\"1368\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgwAzKrmZ3t5tWfoBOn9nGVogfS5gMgnKK2YZcRl5VV33zCax0-xBlkeuYaShQezBelYRCOkjFtGhPk4shpXRBmLzMJp67KtLWQVchV_vRYzn7Wv2vXfd_zHBfVyTdVIjD7UyXTdnKcDYWTi7xn8MVdlBKBljrBgHByLxemMTPVTRAY8Qk0OIQ5Zf22tRm0\/s1600\/code-exe.png\"\/><\/p>\n<p>&#8220;The Trojan is a professional and private C2 framework: the loader and beacon are separated, the&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/new-modbeacon-rat-uses-grpc-streaming.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic https:\/\/thehackernews.com\/2026\/07\/new-modbeacon-rat-uses-grpc-streaming.html Publish Date: 2026-07-10 09:15:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":288111,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjKTCUzhkUq2Y7DPv0yS2FatrHQTcHfupRly6f5kSWyQU-So3FOjpC8pt_VKR4qo1SoUGR65ycOEQonbW5heKWj1g_A8qDy69YtWGZDO4m2t46Sip-jdPAlNs2fpRj-w1yd8WpyJpNFUpj1iTBO0X6fy3n9DJ4aEdsWaQz_tN-VV-PxDrufKZR9wkznmXJQ\/s1600\/MODBEACON.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,34],"class_list":["post-288110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/288110"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=288110"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/288110\/revisions"}],"predecessor-version":[{"id":288112,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/288110\/revisions\/288112"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/288111"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=288110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=288110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=288110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}