Silver Fox Phishing Campaign Targets Indian Organizations With ValleyRAT
The Chinese threat actor known as Silver Fox has launched a targeted phishing campaign against Indian organizations, using income tax-themed emails to deliver the modular remote access trojan ValleyRAT. Attackers impersonate the Indian Income Tax Department, sending emails with decoy PDF attachments that, when opened, direct victims to a malicious website hosting a ZIP archive. This archive contains a disguised installer that leverages DLL hijacking, specifically abusing a legitimate executable (thunder.exe) and a malicious DLL (libexpat.dll), to establish persistent access and evade detection. The campaign demonstrates a sophisticated multi-stage infection chain, with the initial payload acting as a loader for subsequent malware modules designed to maintain deep access to compromised systems.
Researchers from CloudSEK have attributed this campaign to Silver Fox, correcting previous misattributions to other threat groups. The group, also known as SwimSnake and Void Arachne, has expanded its targeting beyond Chinese-speaking entities to include Indian public, financial, medical, and technology sectors. The use of socially engineered tax documents and trusted file formats highlights the attackers' ability to bypass traditional security controls, while the complex kill chain and modular malware architecture underscore the evolving threat posed by Silver Fox to Indian organizations.
Timeline
Dec 29, 2025
CloudSEK attributes Indian campaign to Silver Fox
CloudSEK analysts attributed the tax-themed attacks on Indian organizations to Silver Fox, correcting earlier misattributions. The reporting highlighted the group's use of false-flag tactics to complicate attribution.
Dec 29, 2025
Attack chain deploys ValleyRAT via DLL hijacking and in-memory execution
In the India-focused campaign, attackers used a legitimate executable together with a malicious DLL to achieve DLL hijacking, anti-analysis evasion, and process injection or hollowing. The infection chain deployed ValleyRAT, disabled Windows Update, and stored configuration data in the Windows registry for persistence and stealth.
Dec 29, 2025
Silver Fox launches India-focused tax phishing campaign
Silver Fox began targeting Indian entities with phishing emails impersonating Income Tax Department communications. The lures directed victims to download a malicious executable disguised as a tax-related file.
Dec 29, 2025
Silver Fox expands beyond Chinese-speaking targets
Silver Fox broadened its operations from primarily targeting Chinese-speaking victims to organizations across multiple regions and sectors worldwide, including public, financial, medical, and technology entities. The group used phishing, SEO poisoning, and fake software installer sites to distribute malware.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Silver Fox Targets Japanese Firms With Tax-Season Phishing and ValleyRAT
Silver Fox is running a targeted spearphishing campaign against Japanese manufacturers and other businesses by exploiting the annual tax filing period and March organizational changes. The attacker is sending localized emails that spoof real employees or senior executives, often include the victim company’s name in the subject line, and use believable HR and finance pretexts such as tax compliance violations, salary adjustments, and personnel changes. The messages push recipients to open malicious attachments or download files from public hosting services including `gofile[.]io` and WeTransfer, commonly delivered in ZIP or RAR archives. The campaign delivers **ValleyRAT** (`Win64/Valley`), a remote access trojan that enables remote control, persistence, information theft, user monitoring, and possible lateral movement inside compromised environments. ESET said it observed examples of the phishing emails in mid-March and linked the activity to a broader Silver Fox operation active since at least 2023, which has expanded from Chinese-speaking targets into Southeast Asia, Japan, and possibly North America. Researchers said the timing mirrors activity seen during the same seasonal window last year, suggesting the group deliberately aligns attacks with predictable business cycles to improve success rates.
4 days ago
SilverFox Expands ValleyRAT and Gh0stRAT Campaigns Against Chinese-Speaking Targets
Breakglass Intelligence linked multiple March and April malware waves to the **SilverFox** threat actor, describing a broad Chinese-language campaign built around **ValleyRAT** on the `Winos4.0` framework and supported by **Gh0stRAT** and **RustyStealer**. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into `C:\WeChat\`, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America. The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to **22 to 75 command-and-control endpoints** and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the `codemark` builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as `TEDDY2012`, and domain registration details that appeared to expose operator identity. Separate reporting also described a related **Gh0stRAT/Farfli** "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.
1 weeks ago
ValleyRAT Malware Campaigns Targeting Chinese Organizations and Job Seekers
Threat actors have launched multiple campaigns distributing the ValleyRAT remote access trojan (RAT), targeting both organizations in China and job seekers. In one campaign, the group known as Silver Fox used search engine optimization (SEO) poisoning and fake Microsoft Teams installers to lure Chinese-speaking users, including those in Western companies operating in China, into downloading a trojanized setup file. The installer, disguised with Russian linguistic elements to mislead attribution, deploys ValleyRAT, which enables remote control, data exfiltration, and persistent access to infected systems. The malware loader checks for security software like 360 Total Security and manipulates Microsoft Defender exclusions to evade detection. A separate ValleyRAT campaign has been observed targeting job seekers via malicious emails that leverage a weaponized Foxit PDF Reader for DLL side-loading. This campaign uses social engineering to trick users into executing the malware, which then allows attackers to monitor activity, steal sensitive data, and potentially compromise HR professionals as well. Both campaigns demonstrate a high level of sophistication, utilizing layered obfuscation, dynamic execution techniques, and strategic targeting to maximize infection rates and evade security controls. Security vendors have updated detection and hunting capabilities to address these threats, emphasizing the need for vigilance among organizations and individuals alike.
1 months ago