Security researchers have uncovered a new remote access trojan (RAT) called MODBEACON, a highly modular malware believed to be used by a Silver Fox-linked Ghost malware distributor. The malware was discovered during investigations into targeted attacks against organizations in Asia. Unlike common malware that spreads widely, MODBEACON appears to be deployed only against selected victims, including organizations in the technology, education, and state-owned enterprise sectors. Its advanced design and targeted nature suggest that it is intended for high-value cyber espionage and long-term operations.

modbeacon-rat-grpc-http2-c2-communication

One of the biggest features of MODBEACON is the way it communicates with its command-and-control (C2) servers. Instead of using traditional malware communication methods, it relies on gRPC bidirectional streaming over HTTP/2, protected by TLS encryption. Researchers found that the malware reuses the transport layer of the open-source Xray/V2Ray framework, making its network traffic appear like normal gRPC communications. Because the traffic closely resembles legitimate encrypted network activity, it becomes much harder for security tools to identify and block the malicious connection.

The malware is written in Rust, giving it improved stability and making reverse engineering more difficult. Researchers found that MODBEACON follows a professional architecture where the loader and the main beacon are separated. Its configuration can be injected dynamically, allowing operators to modify behavior without rebuilding the malware. The beacon itself supports a plugin-based structure, meaning attackers can extend its capabilities whenever required without replacing the entire malware on an infected system.

modbeacon-rat-trojan-malware-cyberattack

During execution, MODBEACON gathers information about the infected computer to uniquely identify the victim. It collects details such as the computer name, username, Windows Machine GUID, system directories, storage information, and other host identifiers. The malware then establishes a secure TLS connection with its C2 server, authenticates using an embedded agent token, exchanges an initial “hello” message, and maintains communication through heartbeat messages. This allows attackers to continuously monitor compromised systems while securely sending commands and receiving responses.

Researchers also found that MODBEACON supports in-memory plugin loading, allowing additional modules to run without writing them to the hard drive. Plugins are delivered directly from the C2 server, verified, mapped into memory, and executed inside the infected process. This design enables attackers to introduce new capabilities such as information theft, lateral movement, proxy services, or other post-compromise actions whenever needed. Since these plugins operate entirely in memory, they leave fewer forensic traces and are harder for traditional security products to detect.

modbeacon-rat-rust-programming-language

To maintain persistence, the malware uses multiple techniques that help it survive system reboots. Besides creating services and scheduled tasks, researchers observed that it establishes a permanent Windows Management Instrumentation (WMI) event subscription that automatically launches the malware through a timer mechanism. The malware also creates a mutex to prevent multiple copies from running simultaneously and checks runtime environment variables before initializing its networking and communication components.

The investigation also revealed that the operators behind MODBEACON are connected to a Ghost malware distribution network that has historically delivered fake software installers through SEO poisoning campaigns. During the latest investigation, researchers discovered additional lures targeting Cambodia’s gambling industry, with filenames referencing current security incidents and anti-scam operations. Based on the victim selection, customized malware deployment, and operational behavior, researchers believe the activity may extend beyond financially motivated cybercrime and could involve outsourced politically motivated operations or hybrid threat activity.

modbeacon-rat-cyber-espionage-hacker

Researchers have already identified multiple infrastructure indicators linked to the campaign, including dedicated C2 domains and Ghost distribution servers. Security products developed by the reporting organization have been updated to detect and block MODBEACON activity. The researchers advise organizations to monitor for suspicious gRPC-over-HTTP/2 traffic, unusual WMI persistence, in-memory plugin loading behavior, and other indicators associated with the malware. The discovery highlights how modern threat actors continue adopting legitimate technologies and encrypted communication methods to make their malware more difficult to detect while maintaining long-term access to targeted systems.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news