返回 TI 主页

Background

"Silver Fox / UTG-Q-1000" has long been regarded as a byword for low-sophistication, high-activity cybercriminal operations that distribute counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS (ValleyRat) trojan families. In 2025, we countered one such distributor[1], whose remote-control objective was limited to delivering fraud links in IM group chats, with no involvement in information theft or political motives.

In mid-June 2026, the Red Raindrop Team at Qianxin Threat Intelligence Center detected, through its private intelligence AI production pipeline, a Ghost distributor delivering a highly modular special trojan written in Rust to specific targets. Based on its distinctive string characteristics, we named the trojan MODBEACON. Its victim targeting is highly customized, spanning sectors including technology, education, and state-owned enterprises:

MODBEACON's requested C2 domains are hosted on Amazon CDN and Cloudflare CDN. The trojan is a professional and private C2 framework: the loader and beacon are separated, the configuration is injectable, the beacon employs a plugin-based architecture (native-v3 plugins with entry/init/fini RVA), and it uses gRPC tunnel streaming for communication. The overall engineering quality is high. Its core highlight is the reuse of the transport layer from an open-source anti-censorship proxy framework (Xray/V2Ray) as its C2 channel (xray.transport.internet.grpc.encoding.GRPCService/Tun) — a protocol originally designed to disguise VMess/VLESS/Trojan proxy protocol data streams as ordinary gRPC bidirectional streaming calls, causing the traffic to appear at the network layer as standard HTTP/2 + gRPC requests, thereby evading blocking and inspection based on traffic characteristics.

In subsequent attribution efforts against this Ghost distributor, we further discovered that it also conducts "black-on-black" operations targeting Cambodia's gambling industry. The lure naming style is notably similar to what we disclosed during the GoldenEye Dog[2] and GoldenFinger Dog[3] campaigns. Combined with its behavior of filtering targets by specific industries and delivering MODBEACON with tiered privileges, the distributor's motives can no longer be explained by purely economic objectives. There may be outsourced political intent behind its activities, which has sparked our strong interest in this distributor.

The Qianxin SkyEye "Liuhe" Advanced Threat Defense Engine is already capable of intercepting MODBEACON stage shellcode:


Silver Fox Ghost Distributor Attribution

The Ghost C2s involved in delivering MODBEACON are as follows:

  • www.nd9c887r.com
  • www.damaix9k.com
  • vaeth.cn
  • 182.16.88.242
  • kkuu8899.org

Based on on-site investigation of download records, we identified the upstream counterfeit domains and download links:

- -
SEOCampaign Counterfeit Domains
cn-mumu.com.cn
Download Link
https://asd268668.oss-ap-southeast-1.aliyuncs.com/MeiqiWintsetup_x64.zip

Metadata-based pivoting revealed that this batch of counterfeit domains became active as early as September 2025. The involved counterfeit domains are as follows:

VirusTotal data also shows that this distributor's daily activities mainly involve counterfeiting popular domestic software, with a large number of government and enterprise entities compromised.

Based on MODBEACON's domains, we correlated another batch of Ghost lures. The filenames mostly use Cambodian anti-scam park crackdowns and public security incidents as hooks, featuring high timeliness and sensationalism: Poipet (a border scam hub), Sihanoukville, Phnom Penh, as well as corresponding Khmer-language versions.

In assessing the nature of this distributor, we lean toward classifying it as a Hybrid Threat Actor — a composite of "cybercriminal arms dealer" and "traffic broker." On one hand, it accumulates a large number of controlled endpoints across Asia through daily SEO operations for fraud business. On the other hand, it delivers advanced custom trojans on demand, "renting" or "packaging and selling" high-value access to downstream, more professional "client entities," or establishing its own "black-on-black squads" targeting high-value gambling victims.


MODBEACONAnalysis

In addition to creating persistence for MODBEACON through traditional methods such as services and scheduled tasks, Ghost also establishes a WMI permanent subscription event to create a CBPUserTimer timer that launches the MODBEACON trojan:

The sample is a memory-resident stage/implant for Windows x64, written in Rust or statically linked with the Rust runtime. It features gRPC over HTTP/2 communication, TLS connections, host fingerprinting, agent token authentication, heartbeat, status reporting, command result reporting, in-memory plugin loading, and native-v3 plugin session capabilities. Based on the string MODBEACON_AGENT_TOKEN_PATCH_V1, we named the trojan MODBEACON.

C2/Endpoint

1.https://api.skystackservice.com

  • Offset:0x79708
  • Code reference:0x32160

2.https://api.fast-cloud-node.com

  • Offset:0x79727
  • Code references:0x321820x5ab99,with an indirect reference near 0x0dc5a

Agent Token / Hash

b68e2067cc88985339154ef7b9674fa1fe958039ce15a8820195217495cded7994d660f181fe1367337ac8d6b372473c596be3f40ee989007bad57c2736be017

  • Length:128 hex chars
  • Location:Immediately following the two HTTPS endpoints, starting at approximately 0x79746

Mutex / Environment Variables

  • Global\\CBP\.QZKVM\.Exe\.Mutex,offset 0x7159c
  • CBPUserSvc,offset 0x71578
  • APP\_RUNTIME,offset 0x71582
  • APP\_EXE\_PATH,offset 0x7158c
  • MODBEACON\_AGENT\_TOKEN\_PATCH\_V1,offset 0x7fc98

Protocol / Service Names

  • /xray\.transport\.internet\.grpc\.encoding\.GRPCService/Tun
  • xray\.transport\.internet\.grpc\.encoding\.GRPCService
  • Tun
  • x\-agent\-token
  • application/grpc
  • grpc\-status
  • grpc\-message
  • grpc\-timeout

Control Flow Overview

Initialization and Single Instance

Near 0x149a, 0x17ce, and 0x170a, RIP-relative references to CBPUserSvc, APP_RUNTIME, and Global\CBP.QZKVM.Exe.Mutex are visible. The import table contains CreateMutexW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetModuleFileNameW, and other APIs. The inferred initialization flow is:

  1. Read runtime environment variables and program path.
  2. Create Global\CBP.QZKVM.Exe.Mutex to prevent multiple instances.
  3. Initialize runtime, thread, and network components via Windows APIs.

C2 Configuration Selection and Token Patch

Near 0x32120, a function contains concentrated references to the default C2 and token patch strings:

  • 0x32160 uses a RIP-relative address to load the configuration near https://api.skystackservice.com.
  • 0x32182 loads the configuration near https://api.fast-cloud-node.com.
  • 0x321b8 references MODBEACON_AGENT_TOKEN_PATCH_V1, followed by a 0x200-byte loop-check logic, suspected to read/overwrite the built-in agent token.

This function has a large stack frame, consistent with the morphology of Rust configuration construction, string objects, and error-handling paths. Combined with the strings parse grpc endpoint, connect grpc endpoint, and invalid agent token metadata, it can be determined that this function is responsible for parsing endpoints, constructing token metadata, and selecting an available C2.


gRPC / TLS Communication Flow

The string pool starting at 0x794c8 provides main flow status text:

  • parse grpc endpoint
  • connect grpc endpoint
  • build native TLS connector
  • queue hello
  • invalid agent token metadata
  • x\-agent\-token
  • open grpc tun stream
  • read hello ack
  • read server frame
  • grpc response stream ended
  • heartbeat timeout
  • grpc response stream ended before hello ack

This indicates the communication flow is:

  1. Parse the built-in HTTPS C2.
  2. Establish a native TLS connector.
  3. Open a bidirectional tunnel using the gRPC Tun service.
  4. Carry x-agent-token in the metadata.
  5. Send hello and wait for HelloAck.
  6. Maintain heartbeat.
  7. Receive server frames and dispatch commands.
  8. Upload status refresh and command execution results.

The import table simultaneously contains WSAStartup, WSASocketW, connect, send, recv, shutdown, CertGetCertificateChain, CertVerifyCertificateChainPolicy, InitializeSecurityContextW, EncryptMessage, DecryptMessage, supporting the above network/TLS assessment.


Host Fingerprinting

Near 0x465c5, there is a reference to SOFTWARE\Microsoft\Cryptography\MachineGuid. The string pool also contains:

  • COMPUTERNAME
  • HOSTNAME
  • USERNAME
  • USERLOGNAME
  • SystemRoot
  • windir
  • SystemDrive
  • platform
  • system\-disk
  • host\-user
  • windows\-system\-volume:

It is inferred that this stage collects host unique identifiers, username, hostname, system directories, and disk information, used for agent registration, generating check-in status, or environment tags.


Command and Plugin Dispatch

Protobuf/gRPC semantic strings are located at 0x7b600+:

  • Command
  • command\_id
  • HelloAck
  • Heartbeat
  • ConfigSync
  • LoadPlugin
  • UnloadPlugin
  • StatusRefresh
  • PluginSessionFrame
  • artifact\_bytes
  • artifact\_format
  • sha256
  • target
  • source\_flag

Near 0x44003, PluginSessionFrame is referenced multiple times; near 0x4475f, LoadPlugin-related enums/fields are referenced multiple times, indicating that server frames are parsed and routed into different command-handling branches.


Native-v3 In-Memory Plugin Loading

The string pool at 0x79900-0x7a758 contains the complete native-v3 loader error path:

  • load plugin artifact
  • load native\-v3 plugin module
  • plugin loaded in memory
  • plugin reloaded in memory
  • plugin unloaded
  • native\-v3 plugin on\_load failed
  • native\-v3 plugin on\_session is missing
  • artifact target architecture does not match this agent
  • segment protection failed
  • relocation overflow
  • entry rva is not executable
  • segment cannot be writable and executable

This indicates that the sample supports receiving native-v3 format plugins from the C2, allocating images in memory, verifying architecture, mapping segments, applying relocations, setting memory protections, and calling plugin entry/session callbacks. This capability can be used for subsequent on-demand expansion of information theft, lateral movement, proxy forwarding, or other payloads.


Summary

Currently, based on threat intelligence data from Qianxin Threat Intelligence Center, all product lines — including the Qianxin Threat Intelligence Platform (TIP), SkyEye, SkyEye Advanced Threat Detection System, Qianxin NGSOC, and Qianxin Situational Awareness — have already enabled precise detection for this type of attack.


IOC

MODBEACON-MD5:

13aff4f82171d42e7f0a72dc96346c45

f6c69d8026d2114e5322f06f69471a6c

9913b09fddbe47d4459c1ae0aa8c4953

e32797efc17c8a9a663f6f0e64fcfa08

MODBEACON C2:

skystackservice.com

fast-cloud-node.com

ghost C2:

www.nd9c887r.com

www.damaix9k.com

vaeth.cn

182.16.88.242:22

kkuu8899.org


References

[1] https://mp.weixin.qq.com/s/BUDSvqc_DhBNad71kI2VuA

[2] https://ti.qianxin.com/blog/articles/operation-dragon-breath-(apt-q-27)-dimensionality-reduction-blow-to-the-gambling-industry/

[3] https://www.secrss.com/articles/27069

MALWARE MODBEACON UTG-Q-1000