🟠 High  |  Source: The Hacker News


A China-linked threat group called Silver Fox has deployed a new Rust-based remote access trojan named MODBEACON, which uses gRPC streaming to disguise its command-and-control traffic as legitimate encrypted communications. The malware is distributed via fake software installers promoted through SEO poisoning. Despite appearing unsophisticated, the group demonstrates significant operational organisation, making detection and attribution more difficult.

Security Architect’s Take: Review egress controls and TLS inspection policies to ensure gRPC traffic on port 443 is inspected or allowlisted only for trusted endpoints — MODBEACON exploits the assumption that gRPC traffic is benign. Additionally, enforce software installation controls (e.g. allowlisting) on cloud-connected workstations to block counterfeit installers reaching your estate.

Original advisory: New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic