Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic: A Threat Analysis



New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic: A Threat Analysis
A recent report by Chinese cybersecurity company QiAnXin highlights the emergence of a new remote access trojan (RAR) known as MODBEACON, attributed to the China-linked cybercrime group Silver Fox. This latest threat actor employs sophisticated and encrypted command-and-control (C2) framework utilizing gRPC streaming for secure communication.

  • The new remote access trojan (RAR) called MODBEACON has been attributed to the China-linked cybercrime group Silver Fox.
  • Silver Fox employs a sophisticated and highly encrypted command-and-control (C2) framework using gRPC streaming for secure communication.
  • The true organizational structure of Silver Fox is more complex than initially thought, with distributors conducting activities across Asia using counterfeit software installers.
  • A distributor delivered a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in mid-June 2026.
  • The MODBEACON RAT combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts.



  • The cybersecurity landscape has recently been rocked by the emergence of a new remote access trojan (RAR) known as MODBEACON, which has been attributed to the China-linked cybercrime group known as Silver Fox. According to a recent report by Chinese cybersecurity company QiAnXin, this latest threat actor employs a sophisticated and highly encrypted command-and-control (C2) framework that utilizes gRPC streaming for secure communication.

    The report highlights that despite initial appearances suggesting a low-sophistication, high-activity operation, the true organizational structure of Silver Fox is far more complex. The company notes that these distributors conduct activities across Asia using counterfeit software installers distributed through search engine optimization (SEO) campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families.

    One notable campaign observed in mid-June 2026 involved a distributor delivering a previously undocumented modular RAT targeting technology, education, and state-owned enterprises in the country. The distributor is assessed to be a hybrid threat actor, acting as both a "cybercriminal arms dealer" and "traffic broker." This dual role involves expanding the infection footprint across Asia through daily SEO operations for fraud business, while the other focuses on propagating advanced trojans or renting high-value access to downstream customers.

    The newly discovered campaign combines social engineering, custom malware, and post-compromise tooling to establish long-term access while minimizing detection on infected hosts. The memory-resident malware functions as a remote implant capable of fetching additional modules, running operator commands, and maintaining encrypted communications with attacker infrastructure.

    "It's a professional and private C2 framework: the loader and beacon are separated, the configuration is injectable, the beacon employs a plugin-based architecture (native-v3 plugins with entry/init/fini RVA), and it uses gRPC tunnel streaming for communication," QiAnXin explained. "The overall engineering quality is high. Its core highlight is the reuse of the transport layer from an open-source anti-censorship proxy framework (Xray/V2Ray) as its C2 channel."

    This report provides a comprehensive analysis of the MODBEACON RAT and its associated threat actor, highlighting the complexities and sophistication of this latest threat in the cybersecurity landscape.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-MODBEACON-RAT-Uses-gRPC-Streaming-for-Encrypted-C2-Traffic-A-Threat-Analysis-ehn.shtml

  • https://thehackernews.com/2026/07/new-modbeacon-rat-uses-grpc-streaming.html


  • Published: Fri Jul 10 08:56:09 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us