← Back to blog

MODBEACON RAT Leverages gRPC for Stealthy Command and Control

A new Rust-based remote access trojan dubbed MODBEACON is being used by the China-linked Silver Fox group. It employs gRPC streaming to encrypt its command-and-control traffic, evading traditional detection methods.

TL;DR

  • Silver Fox deploys MODBEACON, a Rust-based RAT with advanced C2 capabilities.
  • The malware uses gRPC streaming to encrypt communications and avoid detection.
  • Infection occurs through SEO-poisoned fake software installers.
  • QiAnXin researchers uncovered the group's more sophisticated infrastructure behind a deceptive low-sophistication facade.
  • Organizations should monitor for unusual gRPC traffic patterns as part of threat hunting.

Cybersecurity researchers have identified a new remote access trojan (RAT) named MODBEACON, linked to the China-associated threat actor Silver Fox. Unlike typical malware, MODBEACON is built using the Rust programming language and leverages gRPC streaming for encrypted communication with its command-and-control (C2) servers.

While initial infection vectors rely on common social engineering tactics such as SEO poisoning and counterfeit software installers, the underlying infrastructure reveals a higher level of operational sophistication. This suggests that what appears to be a noisy, low-skill campaign may actually mask more strategic objectives.

Technical Features of MODBEACON

  • Written in Rust, offering memory safety and cross-platform compatibility.
  • Uses gRPC over HTTP/2 for bidirectional streaming, blending in with legitimate traffic.
  • Employs encryption within the gRPC layer to obfuscate malicious payloads.
  • Capable of executing shell commands, file transfers, and keylogging.
  • Communicates with C2 servers using dynamically generated endpoints to evade static detection rules.

Detection and Mitigation Strategies

  • Monitor network traffic for anomalous gRPC activity originating from client endpoints.
  • Implement deep packet inspection (DPI) to analyze HTTP/2 streams for behavioral anomalies.
  • Use endpoint detection and response (EDR) tools to flag unsigned or unusual process executions.
  • Train staff to recognize SEO-poisoned search results leading to malicious downloads.
  • Maintain up-to-date browser and OS patches to limit exploitability of known vulnerabilities.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

MODBEACON RAT Leverages gRPC for Stealthy Command and Control — Agent Breach Blog | Agent Breach