Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
New MODBEACON RAT Leverages Encrypted C2 Traffic

New MODBEACON RAT Leverages Encrypted C2 Traffic

Posted on July 10, 2026 By CWS

The cybercrime group Silver Fox, known for its links to China, is being held responsible for a new remote access trojan (RAT) termed MODBEACON, developed using the Rust programming language. This development was disclosed by the Chinese cybersecurity firm QiAnXin, highlighting the sophisticated nature of the group’s operations.

Despite appearing as a low-grade operation, Silver Fox’s activities involve distributing malware through fake installers, utilizing SEO poisoning as a technique to spread their reach. QiAnXin points out that the group operates through a network of multiple distributors across Asia, using deceptive software installers to push variants of the Gh0st RAT and WinOS (ValleyRAT) trojan families.

MODBEACON’s Advanced Infrastructure

In mid-June 2026, a new campaign was detected, wherein a distributor used an undocumented modular RAT to target sectors such as technology, education, and state-owned enterprises. MODBEACON’s command-and-control (C2) infrastructure is strategically hosted on platforms like Amazon and Cloudflare’s Content Delivery Network (CDN).

The distributor functions as a hybrid threat actor, blending roles as a ‘cybercriminal arms dealer’ and ‘traffic broker.’ Their operations expand across Asia, focusing on daily SEO-driven fraud activities and disseminating advanced trojans. They also engage in rental of high-value access and establishing schemes targeting sectors like the Cambodian gambling industry.

Technical Architecture of MODBEACON

The campaign employs social engineering alongside custom malware and post-compromise tools to secure persistent access while avoiding detection. The malware resides in memory and acts as a remote implant, capable of loading additional modules, executing commands, and maintaining secure, encrypted communications.

QiAnXin describes the Trojan as a comprehensive C2 framework with separate loader and beacon components. The beacon utilizes a plugin-based architecture and relies on gRPC tunnel streaming for communication. Notably, it repurposes an open-source anti-censorship proxy framework’s transport layer as its C2 channel, demonstrating high engineering quality.

Impact and Future Outlook

Silver Fox’s latest campaign continues their trend of using counterfeit domains and fake installers to lure victims into downloading malicious ZIP files. The MODBEACON RAT is equipped with capabilities like host fingerprinting, in-memory plugin loading, heartbeat messaging, and scheduled task-based persistence.

The RAT’s functionalities support further information theft, lateral movement, proxy forwarding, and additional payloads. This disclosure highlights Silver Fox’s ongoing efforts to enhance their cyber arsenal, incorporating malware families like Atlas RAT, ABCDoor, RomulusLoader, and SilentRunLoader, indicating a continuous refinement of their malicious strategies.

The Hacker News Tags:C2 traffic, Cybercrime, Cybersecurity, gRPC, MODBEACON, QiAnXin, RAT, Rust-based malware, SEO poisoning, Silver Fox

Post navigation

Previous Post: CitrixBleed 2: Swift Path to Ransomware Threat
Next Post: Okta Alerts on Vishing Threat to Microsoft 365 Users

Related Posts

Preinstalled Apps on Ulefone, Krüger&Matz Phones Let Any App Reset Device, Steal PIN Preinstalled Apps on Ulefone, Krüger&Matz Phones Let Any App Reset Device, Steal PIN The Hacker News
Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto The Hacker News
Ex-Developer Jailed Four Years for Sabotaging Ohio Employer with Kill-Switch Malware Ex-Developer Jailed Four Years for Sabotaging Ohio Employer with Kill-Switch Malware The Hacker News
The Unusual Suspect: Git Repos The Unusual Suspect: Git Repos The Hacker News
AI Tools Fuel Threat Actor’s Breach of 600 FortiGate Devices AI Tools Fuel Threat Actor’s Breach of 600 FortiGate Devices The Hacker News
Malicious PyPI Package Masquerades as Chimera Module to Steal AWS, CI/CD, and macOS Data Malicious PyPI Package Masquerades as Chimera Module to Steal AWS, CI/CD, and macOS Data The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed
  • Windows Shortcuts Exploit PowerShell for Remote Attacks
  • Okta Alerts on Vishing Threat to Microsoft 365 Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed
  • Windows Shortcuts Exploit PowerShell for Remote Attacks
  • Okta Alerts on Vishing Threat to Microsoft 365 Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark