Silver Fox APT & PowerG flaws expose key security risks

NCC Group has published new findings on the activity of the advanced persistent threat group known as Silver Fox and disclosed four security flaws affecting a Johnson Controls wireless building security radio protocol used across residential and commercial deployments.

The threat intelligence research describes an exposed web panel that investigators link to Silver Fox operations. NCC Group said the panel tracked backdoor installer applications used in ongoing campaigns.

Silver Fox activity

NCC Group said the group's most recent observed activity used search engine optimisation techniques to deliver backdoored installers for Microsoft Teams. The research also points to the use of "false flags" that investigators believe aimed to impersonate a Russian-speaking threat group.

The firm said its analysis of link management infrastructure provided further artefacts associated with that hypothesis. It said the campaign aligns with previous third-party assessments that characterised the activity as a false-flag operation.

NCC Group said the operators used Cyrillic file names. The researchers said this appeared intended to mimic a Russian-speaking threat actor's tradecraft.

In its research, NCC Group said it observed SEO poisoning used to distribute backdoor installers of at least 20 widely used applications. It said the list includes communication tools, virtual private network products and productivity applications.

The research said the campaigns primarily targeted Chinese-speaking individuals and organisations in China. It said it also identified additional victims across Asia-Pacific, Europe and North America.

NCC Group said it observed infections dating back to July 2025. It said it identified additional victims during follow-on analysis of infrastructure and samples associated with the campaigns.

NCC Group said the observed samples delivered malware consistent with ValleyRAT behaviour. It described ValleyRAT as a modular Remote Access Trojan linked to Silver Fox. It said supporting infrastructure sat in Asia.

The company said the research reinforces industry guidance on risk exposure. It said organisations with Chinese-speaking employees or operations in China face elevated risk from the campaign, regardless of sector.

Building security protocol

Separately, NCC Group disclosed four vulnerabilities affecting the PowerG building security radio protocol used in Johnson Controls devices. The protocol is used in products deployed in homes and commercial premises, including alarm and access control environments.

PowerG features in a range of peripherals and sensors. "PowerG is used in devices such as motion detectors, cameras, smoke detectors, sirens, and smart locks," said James Chambers, Senior Security Consultant, NCC Group.

NCC Group said it reported the vulnerabilities to the US Cybersecurity and Infrastructure Security Agency. The issues include weaknesses affecting network encryption keys and device identity controls, as well as a cryptographic reuse problem and predictable radio behaviour, according to Chambers.

"Two of the vulnerabilities (CVE-2025-61738 and CVE-2025-26379) expose the PowerG network encryption keys. Affected IQPanel control panel devices generate network keys in a predictable way based on their serial number, making it easy to guess or determine the network key (CVE-2025-26379). An attacker within radio reception range can also intercept the network keys whenever a device is paired to a PowerG network because the keys are sent to the pairing device in cleartext (CVE-2025-61738)," said Chambers.

Chambers said an attacker who obtains those keys could read and inject traffic on the network. He said the protocol lacks cryptographic device identity proof. That creates opportunities for impersonation across a network, according to his analysis.

"With the network keys, an attacker can decrypt any message sent on the PowerG network, and send their own encrypted messages. As the protocol does not support any cryptographic proof of a device's identity (CVE-2025-61740), the attacker can pretend to be any device on the network when sending messages; for example, they could pretend to be the main control panel sending configuration, or disarm, or unlock messages to peripherals. This results in a total loss of network security," said Chambers.

Chambers also described a weakness tied to periodic re-use of cryptographic parameters. He said this could allow replay of captured messages on a repeating schedule and could also affect radio channel hopping behaviour.

"PowerG's cryptography also has a weakness where parameters that should only be used once are re-used every 36 hours (CVE-2025-61739). This means an attacker can replay captured messages every 36 hours without knowing the network keys, and potentially modify those replayed messages. The radio channel hopping sequence will also repeat every 36 hours," said Chambers.

NCC Group said mitigation depends on product and deployment constraints. "Mitigation requires updating device firmware where possible, and in some cases total replacement of the affected devices," said Chambers.