Silver Fox Hackers Using Weaponized Google Translate Tools to Deploy Windows Malware

This Silver Fox campaign represents a concerning trend in malware distribution, where threat actors increasingly rely on social engineering rather than technical exploits to achieve initial compromise, making user education and awareness crucial components of organizational cybersecurity strategies. The Silver Fox threat actors have developed an intricate attack chain that leverages social engineering tactics to deliver the notorious Winos Trojan, representing a significant evolution in malware distribution techniques that exploit users’ trust in legitimate web services. Knownsec 404 team researchers identified this campaign as part of a broader Silver Fox operation that has been active since 2024, with the threat actors demonstrating remarkable adaptability in their social engineering approaches. The researchers noted that this particular variant represents a significant departure from traditional malware distribution methods, as it specifically targets users seeking translation services and productivity tools. The attack methodology centers around creating convincing replicas of widely-used applications and websites, with attackers establishing fake Google Translate portals, currency converters, and software download pages for popular applications like WPS Office. A sophisticated malware campaign has emerged targeting unsuspecting users through weaponized versions of popular online tools, particularly Google Translate interfaces. Upon successful installation, the malware deploys multiple components including javaw.exe, Microsoftdata.exe, and various supporting files that establish persistent access to compromised systems. Analysis reveals that the final payload contains references to “RexRat4.0.3” in its program database, indicating the use of commercially available remote access tools that have been repurposed for cybercriminal activities. The malicious script creates hidden input elements and attempts to fetch configuration data from remote JSON files before displaying fake Flash update notifications. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 01 Aug 2025 00:15:19 +0000