Silver Fox Targets Japanese Firms With Tax-Season Phishing and ValleyRAT
Silver Fox is running a targeted spearphishing campaign against Japanese manufacturers and other businesses by exploiting the annual tax filing period and March organizational changes. The attacker is sending localized emails that spoof real employees or senior executives, often include the victim company’s name in the subject line, and use believable HR and finance pretexts such as tax compliance violations, salary adjustments, and personnel changes. The messages push recipients to open malicious attachments or download files from public hosting services including gofile[.]io and WeTransfer, commonly delivered in ZIP or RAR archives.
The campaign delivers ValleyRAT (Win64/Valley), a remote access trojan that enables remote control, persistence, information theft, user monitoring, and possible lateral movement inside compromised environments. ESET said it observed examples of the phishing emails in mid-March and linked the activity to a broader Silver Fox operation active since at least 2023, which has expanded from Chinese-speaking targets into Southeast Asia, Japan, and possibly North America. Researchers said the timing mirrors activity seen during the same seasonal window last year, suggesting the group deliberately aligns attacks with predictable business cycles to improve success rates.
Timeline
Apr 19, 2026
Technical details published on Silver Fox Rakuten invoice ValleyRAT chain
Analysis of Silver Fox activity targeting Japan revealed a Japanese-language Rakuten invoice phishing lure delivering ValleyRAT via DLL sideloading through Dell MaxxAudio. The report also identified beaconing to a Hong Kong C2 server over port 886 and noted Gh0st RAT default configuration settings and fabricated WHOIS data tied to a Chinese registrant email.
Apr 1, 2026
Silver Fox launches broader Asia campaign with tax audit and fake update lures
An April 2026 Silver Fox campaign targeted organizations across Asia using fake tax audit notices and counterfeit software update alerts delivered through phishing emails, shortcut files, and macro-enabled Office documents. Reporting said the operation used ValleyRAT, AtlasCross RAT, Catena loader, a Python-based stealer, signed remote management tools, and BYOVD techniques to disable antivirus and EDR defenses while expanding targeting to sectors including healthcare and finance.
Mar 31, 2026
Silver Fox linked to AtlasCross RAT fake-software campaign
Hexastrike reported an active Silver Fox campaign targeting Chinese-speaking users via typosquatted domains impersonating trusted software brands. The operation delivered a newly documented malware family, AtlasCross RAT, through trojanized installers and fake download sites, marking an evolution beyond the group's previously reported ValleyRAT-focused activity.
Mar 27, 2026
ESET publicly reports Silver Fox campaign targeting Japan
WeLiveSecurity published ESET's findings on a targeted March 2026 Silver Fox spearphishing campaign against Japanese businesses. The report detailed the use of tax-season lures, impersonation tactics, and ValleyRAT malware delivery.
Mar 12, 2026
Additional phishing activity observed in ongoing campaign
ESET observed further Silver Fox spearphishing emails on the following day, indicating the campaign against Japanese businesses was ongoing. The messages continued using company-specific, tax- and HR-themed lures to infect victims with ValleyRAT.
Mar 11, 2026
Silver Fox sends tax-themed phishing emails to Japanese firms
Examples observed by ESET show Silver Fox distributing localized spearphishing emails to Japanese organizations during tax season, impersonating employees or executives and using HR and finance themes to deliver ValleyRAT. The campaign used malicious attachments and links hosted on services such as gofile.io and WeTransfer.
Mar 1, 2025
Silver Fox runs similar seasonal operations in prior tax season
Researchers observed that Silver Fox had already aligned operations with the same seasonal business period in the previous year, suggesting deliberate timing around tax and organizational change cycles. This established a pattern later seen again in 2026.
Jan 1, 2025
Silver Fox reportedly shifts toward APT-style espionage in South Asia
Reporting described Silver Fox as moving during 2025-2026 from mainly financially motivated cybercrime toward more espionage-oriented operations. The activity was said to target entities in South Asia and continued to use tax-themed phishing lures and remote monitoring and management tools.
Jan 1, 2025
Silver Fox expands targeting into Japan and other regions
Over time, Silver Fox expanded beyond its earlier focus to target organizations in Southeast Asia, Japan, and possibly North America across multiple sectors. This broader targeting was noted in ESET's analysis of the actor's evolution.
Jan 1, 2023
Silver Fox activity traced back to at least 2023
ESET reported that the Silver Fox threat actor has been active since at least 2023. Its earlier operations primarily focused on Chinese-speaking targets before later geographic expansion.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Affected Products
Sources
1 more from sources like blueteamsec
Related Stories
Silver Fox Phishing Campaign Targets Indian Organizations With ValleyRAT
The Chinese threat actor known as **Silver Fox** has launched a targeted phishing campaign against Indian organizations, using income tax-themed emails to deliver the modular remote access trojan **ValleyRAT**. Attackers impersonate the Indian Income Tax Department, sending emails with decoy PDF attachments that, when opened, direct victims to a malicious website hosting a ZIP archive. This archive contains a disguised installer that leverages DLL hijacking, specifically abusing a legitimate executable (`thunder.exe`) and a malicious DLL (`libexpat.dll`), to establish persistent access and evade detection. The campaign demonstrates a sophisticated multi-stage infection chain, with the initial payload acting as a loader for subsequent malware modules designed to maintain deep access to compromised systems. Researchers from CloudSEK have attributed this campaign to Silver Fox, correcting previous misattributions to other threat groups. The group, also known as SwimSnake and Void Arachne, has expanded its targeting beyond Chinese-speaking entities to include Indian public, financial, medical, and technology sectors. The use of socially engineered tax documents and trusted file formats highlights the attackers' ability to bypass traditional security controls, while the complex kill chain and modular malware architecture underscore the evolving threat posed by Silver Fox to Indian organizations.
1 months ago
SilverFox Expands ValleyRAT and Gh0stRAT Campaigns Against Chinese-Speaking Targets
Breakglass Intelligence linked multiple March and April malware waves to the **SilverFox** threat actor, describing a broad Chinese-language campaign built around **ValleyRAT** on the `Winos4.0` framework and supported by **Gh0stRAT** and **RustyStealer**. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into `C:\WeChat\`, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America. The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to **22 to 75 command-and-control endpoints** and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the `codemark` builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as `TEDDY2012`, and domain registration details that appeared to expose operator identity. Separate reporting also described a related **Gh0stRAT/Farfli** "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.
1 weeks ago
ValleyRAT Malware Campaigns Targeting Chinese Organizations and Job Seekers
Threat actors have launched multiple campaigns distributing the ValleyRAT remote access trojan (RAT), targeting both organizations in China and job seekers. In one campaign, the group known as Silver Fox used search engine optimization (SEO) poisoning and fake Microsoft Teams installers to lure Chinese-speaking users, including those in Western companies operating in China, into downloading a trojanized setup file. The installer, disguised with Russian linguistic elements to mislead attribution, deploys ValleyRAT, which enables remote control, data exfiltration, and persistent access to infected systems. The malware loader checks for security software like 360 Total Security and manipulates Microsoft Defender exclusions to evade detection. A separate ValleyRAT campaign has been observed targeting job seekers via malicious emails that leverage a weaponized Foxit PDF Reader for DLL side-loading. This campaign uses social engineering to trick users into executing the malware, which then allows attackers to monitor activity, steal sensitive data, and potentially compromise HR professionals as well. Both campaigns demonstrate a high level of sophistication, utilizing layered obfuscation, dynamic execution techniques, and strategic targeting to maximize infection rates and evade security controls. Security vendors have updated detection and hunting capabilities to address these threats, emphasizing the need for vigilance among organizations and individuals alike.
1 months ago