Chinese hackers use malware disguised as imaging viewers to steal patient data

A cybercriminal group backed by the Chinese government is using fake medical imaging software to compromise patients’ computers. 

An investigation by Forescout—a cybersecurity company that helps businesses and government agencies manage cyber risk and protect their networks—recently uncovered dozens of malware samples disguised as legitimate DICOM (Digital Imaging and Communications in Medicine) viewers and other trusted healthcare applications. The software, which was deployed between July 2024 and January 2025, was primarily disguised as Philips’ DICOM MediaViewerLauncher.exe—a trusted program that enables patients to view their medical imaging on their own personal servers. 

Attackers trick users into downloading the software, but once executed, malware uses built-in Windows tools to establish a connection with a command-and-control server. Once access is obtained, additional malicious programs, such as ValleyRAT, a remote access tool (RAT), masquerading as image files are downloaded onto patients’ computers. This effectively gives hackers access to all patients’ personal data available on their server. 

The group responsible for executing these cyber threats is known as Silver Fox. Forescout has indicated that Silver Fox could be an Advanced Persistent Threat Group posing as a financially motivated threat group. Previously, the group targeted government entities and cybersecurity groups, but its latest move into patient health could signal that they are attempting widespread malware infiltration, Forescout suggests. 

Currently, there is no evidence to suggest that any of Philips’ medical devices or systems have been hacked, just patients’ personal servers.  

“While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant,” explained Forescout. “In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.” 

It is not currently fully understood how the malware spreads, but in the past, the group has deployed SEO poisoning and phishing campaigns. Experts are concerned that the group may be expanding their reach. Historically, they have singled out Chinese-speaking targets, but more recently submissions that appear to come from the United States and Canada have been discovered. 

Learn more from Forescout’s report here.