Chinese hackers use malware disguised as imaging viewers to steal patient data

A cybercriminal group backed by the Chinese government is using fake medical imaging software to compromise patients’ computers. 

An investigation by Forescout—a cybersecurity company that helps businesses and government agencies manage cyber risk and protect their networks—recently uncovered dozens of malware samples disguised as legitimate DICOM (Digital Imaging and Communications in Medicine) viewers and other trusted healthcare applications. The software, which was deployed between July 2024 and January 2025, was primarily disguised as Philips’ DICOM MediaViewerLauncher.exe—a trusted program that enables patients to view their medical imaging on their own personal servers. 

Attackers trick users into downloading the software, but once executed, malware uses built-in Windows tools to establish a connection with a command-and-control server. Once access is obtained, additional malicious programs, such as ValleyRAT, a remote access tool (RAT), masquerading as image files are downloaded onto patients’ computers. This effectively gives hackers access to all patients’ personal data available on their server. 

The group responsible for executing these cyber threats is known as Silver Fox. Forescout has indicated that Silver Fox could be an Advanced Persistent Threat Group posing as a financially motivated threat group. Previously, the group targeted government entities and cybersecurity groups, but its latest move into patient health could signal that they are attempting widespread malware infiltration, Forescout suggests. 

Currently, there is no evidence to suggest that any of Philips’ medical devices or systems have been hacked, just patients’ personal servers.  

“While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant,” explained Forescout. “In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.” 

It is not currently fully understood how the malware spreads, but in the past, the group has deployed SEO poisoning and phishing campaigns. Experts are concerned that the group may be expanding their reach. Historically, they have singled out Chinese-speaking targets, but more recently submissions that appear to come from the United States and Canada have been discovered. 

Learn more from Forescout’s report here. 

Hannah murhphy headshot

In addition to her background in journalism, Hannah also has patient-facing experience in clinical settings, having spent more than 12 years working as a registered rad tech. She began covering the medical imaging industry for Innovate Healthcare in 2021.

Around the web

GE HealthCare designed the new-look Revolution Vibe CT scanner to help hospitals and health systems embrace CCTA and improve overall efficiency.

Clinicians have been using HeartSee to diagnose and treat coronary artery disease since the technology first debuted back in 2018. These latest updates, set to roll out to existing users, are designed to improve diagnostic performance and user access.

The cardiac technologies clinicians use for CVD evaluations have changed significantly in recent years, according to a new analysis of CMS data. While some modalities are on the rise, others are being utilized much less than ever before.