Back to Intelligence

MODBEACON RAT: Detecting Silver Fox's Rust-Based gRPC C2 Infrastructure

SA
Security Arsenal Team
July 10, 2026
7 min read

The threat landscape has shifted again with the emergence of MODBEACON, a new Rust-based Remote Access Trojan (RAT) attributed to the China-aligned threat cluster Silver Fox. While Silver Fox has historically operated with a "low-sophistication" veneer—relying heavily on SEO poisoning and counterfeit installers—the technical reality of their latest toolkit is far more concerning.

MODBEACON represents a significant evolution in their tradecraft. By adopting the Rust programming language and leveraging gRPC (Google Remote Procedure Call) streaming for Command and Control (C2), the actors have effectively obfuscated their network traffic behind encrypted, web-protocol facades. This creates a dual challenge for defenders: detecting the initial delivery via socially engineered fake software and identifying the subtle, persistent outbound connections that blend in with legitimate application traffic.

Technical Analysis

Delivery Vector: SEO Poisoning & Counterfeit Installers Silver Fox continues to rely on driving traffic to malicious domains through Search Engine Optimization (SEO) poisoning. Victims searching for legitimate software (e.g., VPN clients, productivity tools, or cracked utilities) are redirected to sites hosting counterfeit installers. These installers serve as the dropper for the MODBEACON payload.

Payload Characteristics: Rust-Based Evasion The malware is written in Rust, a choice that complicates static analysis and reverse engineering. Rust binaries are generally harder to decompile than those written in C/C++, and they offer memory safety features that reduce the likelihood of crashes during execution. This ensures the malware remains stable across a wide range of victim environments.

C2 Communications: gRPC Streaming The most critical technical differentiator of MODBEACON is its use of gRPC over HTTP/2 for C2 communications. Unlike traditional HTTP(S) BEACONing which may be easier to fingerprint via specific User-Agent strings or URL patterns, gRPC uses Protocol Buffers (Protobuf) for serialization and transmits data over a single persistent HTTP/2 connection.

  • Encryption: The traffic is typically wrapped in TLS, making it indistinguishable from standard HTTPS traffic without deep packet inspection (DPI).
  • Streaming: gRPC allows for bidirectional streaming. This enables the actor to issue commands and receive exfiltrated data continuously over a single TCP connection, reducing the network "noise" associated with frequent polling.
  • Evasion: Because gRPC is increasingly used in modern cloud-native applications, blocking it wholesale is not an option for most businesses. The traffic effectively hides in plain sight, often masquerading as legitimate API calls to services like Google or internal microservices.

Affected Platforms While Rust is cross-platform, Silver Fox's current campaign focuses primarily on Windows environments. The counterfeit installers are typically Windows executables (.exe).

Detection & Response

Detecting MODBEACON requires a multi-layered approach focusing on the delivery vector (unsigned binaries spawned from browsers) and the network behavior (unsigned processes initiating connections on common gRPC ports).

Sigma Rules

YAML
---
title: Potential MODBEACON Fake Installer Execution
id: 9a1f2e3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
status: experimental
description: Detects the execution of unsigned binaries spawned from web browsers, a common Silver Fox delivery vector for counterfeit installers.
references:
 - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/07/08
tags:
 - attack.initial_access
 - attack.t1566.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith:
     - '\chrome.exe'
     - '\firefox.exe'
     - '\msedge.exe'
     - '\opera.exe'
   Image|endswith: '.exe'
   Signed: false
 condition: selection
falsepositives:
 - Legitimate software downloads from reputable vendors
level: high
---
title: Suspicious Unsigned Process gRPC Network Activity
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects unsigned processes establishing outbound connections on ports commonly used for gRPC (e.g., 8080, 9090, 50051) or standard ports from user directories.
references:
 - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/07/08
tags:
 - attack.command_and_control
 - attack.t1071.001
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   Initiated: true
   DestinationPort:
     - 443
     - 8080
     - 8443
     - 9090
     - 50051
   Image|contains: '\Users\'
 filter:
   Signed: true
 condition: selection and not filter
falsepositives:
 - Local development tools or internal applications using gRPC
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for unsigned executables spawned by browsers
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe", "opera.exe")
| where FileName endswith ".exe"
| where isnull(Signer) or Signer != "Microsoft Windows Compatibility Publisher" // Filter out OS trusted binaries loosely, adjust based on environment
| project Timestamp, DeviceName, AccountName, FileName, SHA256, InitiatingProcessFileName
| extend SuspiciousScore = iff(isnull(Signer), 10, 0)
| order by SuspiciousScore desc


// Hunt for outbound gRPC-like connections from unsigned processes in user paths
DeviceNetworkEvents
| where Timestamp > ago(3d)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (443, 8080, 8443, 9090, 50051)
| where DeviceName startswith "DESKTOP" or DeviceName startswith "LAPTOP" // Adjust to naming convention
| join kind=inner DeviceProcessEvents on $left.DeviceId == $right.DeviceId, $left.InitiatingProcessId == $right.ProcessId
| where isnull(Signer) or SigningStatus != "Valid"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, RemoteUrl, RemotePort, RemoteIP, SigningStatus

Velociraptor VQL

VQL — Velociraptor
-- Hunt for unsigned executables in user directories with active network connections
SELECT Pid, Name, Exe, Username, Cmdline
FROM pslist()
WHERE Exe =~ 'C:\Users\.*\.exe'
  AND NOT SigInfo.Signer = 'Microsoft Windows'
  AND NOT SigInfo.Status = 'Valid'
-- Pivot to network connections for these processes
SELECT Net.RemoteAddress, Net.RemotePort, Net.State, P.Name, P.Pid
FROM foreach(row={
    SELECT Pid
    FROM pslist()
    WHERE Exe =~ 'C:\Users\.*\.exe' AND (NOT SigInfo.Signer = 'Microsoft Windows' OR SigInfo.Status != 'Valid')
}, query={
    SELECT *
    FROM netstat(pid=Pid)
    WHERE State = 'ESTABLISHED' AND (RemotePort = 443 OR RemotePort = 8080 OR RemotePort = 9090)
})

Remediation Script

PowerShell
<#
.SYNOPSIS
    MODBEACON Remediation and Hunt Script.
.DESCRIPTION
    Scans for recently created executables in user profiles and checks for valid digital signatures.
    Identifies potential Silver Fox counterfeit installers.
#>

$DateThreshold = (Get-Date).AddDays(-7)
$UserProfiles = Get-ChildItem "C:\Users\" -Directory

$SuspiciousFiles = @()

foreach ($Profile in $UserProfiles) {
    $Paths = @(
        "$($Profile.FullName)\Downloads",
        "$($Profile.FullName)\AppData\Local\Temp",
        "$($Profile.FullName)\Desktop"
    )

    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Write-Host "Scanning $Path..."
            $Files = Get-ChildItem -Path $Path -Filter *.exe -File -Recurse -ErrorAction SilentlyContinue | 
                     Where-Object { $_.LastWriteTime -gt $DateThreshold }

            foreach ($File in $Files) {
                $Sig = Get-AuthenticodeSignature -FilePath $File.FullName
                if ($Sig.Status -ne 'Valid') {
                    $SuspiciousFiles += [PSCustomObject]@{
                        File = $File.FullName
                        Created = $File.CreationTime
                        SignatureStatus = $Sig.Status
                        Signer = $Sig.SignerCertificate.Subject
                    }
                    # Optional: Quarantine logic here
                    # Remove-Item -Path $File.FullName -Force -WhatIf
                }
            }
        }
    }
}

if ($SuspiciousFiles.Count -gt 0) {
    Write-Host "[!] Found suspicious unsigned executables created in the last 7 days:" -ForegroundColor Red
    $SuspiciousFiles | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious unsigned executables found." -ForegroundColor Green
}

Remediation

  1. Isolate and Re-image: If a MODBEACON infection is confirmed, isolate the endpoint immediately. Due to the stealthy nature of Rust-based malware and potential persistence mechanisms, reimaging the compromised host is the recommended remediation path.

  2. Block Malicious Domains: Update your web proxy and DNS filtering solutions (e.g., Cisco Umbrella, Palo Alto) to block domains identified in the Silver Fox campaign (refer to specific IOCs from the QiAnXin report).

  3. Enable SSL/TLS Inspection: gRPC traffic is encrypted. To detect the protocol fingerprint inside the TLS payload, you must enable SSL/TLS decryption on your next-generation firewall (NGFW). Without this, MODBEACON traffic will look identical to legitimate web traffic.

  4. Application Whitelisting: Enforce strict application control policies (e.g., AppLocker or Windows Defender Application Control) to prevent the execution of unsigned binaries from user profile directories (%USERPROFILE%), specifically Downloads and AppData\Local\Temp.

  5. User Awareness: Reinforce security awareness training regarding the risks of downloading software from unofficial sources. Educate users on identifying SEO poisoning tactics (e.g., skewed search results, misspelled domains).

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchsilver-foxmodbeacon-ratgrpc-evasionrust-malwaresoc-detection

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.