DEV Community

Mark0
Mark0

Posted on

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

A China-linked cybercrime group known as Silver Fox has been identified leveraging a new Rust-based remote access trojan (RAT) called MODBEACON. While the group might appear to use low-sophistication techniques like SEO poisoning with counterfeit installers, their operations are backed by a complex organizational structure involving multiple distributors across Asia. These distributors are engaged in campaigns that deliver variants of Gh0st RAT and WinOS (ValleyRAT), and now the modular MODBEACON, primarily targeting technology, education, and state-owned enterprises.

MODBEACON itself is described as a professional, private C2 framework with high engineering quality, utilizing a plugin-based architecture and gRPC tunnel streaming for encrypted communications. Its C2 infrastructure is hosted on Amazon and Cloudflare CDNs, and it reuses the transport layer from open-source anti-censorship proxy frameworks. The attack chain consistently employs counterfeit domains and bogus software installers to lure victims, deploying the malware via malicious ZIP archives.

The RAT's core capabilities include host fingerprinting, in-memory plugin loading, heartbeat messaging, command execution reporting, and persistence through scheduled tasks. This allows for future expansion into information theft, lateral movement, or proxy forwarding. This discovery highlights Silver Fox's continuous effort to refine its tradecraft and expand its arsenal, which previously included malware families like Atlas RAT, ABCDoor, RomulusLoader, and SilentRunLoader.


Read Full Article

Top comments (0)