The threat actor known as Silver Fox has shifted its focus to India, using income tax-themed decoys in phishing campaigns to distribute a modular remote access Trojan called ValleyRAT (also known as Winos 4.0).
“This sophisticated attack utilizes a complex kill chain that includes DLL hijacking and a modular Valley RAT to ensure persistence,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week.
Silver Fox, also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, is the name assigned to an aggressive Chinese cybercrime group that has been active since 2022.
It has a track record of orchestrating campaigns ranging from espionage and intelligence gathering to financial gain, cryptocurrency mining, and business disruption, making it one of the few hacking groups with a multifaceted approach to intrusions.
From primarily focusing on Chinese-speaking individuals and organizations, Silver Fox’s victimization efforts have expanded to include organizations operating in the public, financial, healthcare, and technology sectors. The attacks launched by this group utilized search engine optimization (SEO) poisoning and phishing to distribute Gh0st RAT variants such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (also known as Gh0stBins).
In the infection chain documented by CloudSEK, a phishing email containing a decoy PDF purporting to be from the Income Tax Department of India is used to deploy ValleyRAT. Specifically, when opening a PDF attachment, the recipient is directed to “ggwk”.[.]cc” domain and download the ZIP file (“Tax Affairs.zip”) from there.
Inside the archive is a Nullsoft Scriptable Install System (NSIS) installer with the same name (‘tax affairs.exe’). It leverages a legitimate executable file related to Thunder (‘thunder.exe’), a download manager for Windows developed by Xunlei, and a malicious DLL (‘libexpat.dll’) that is sideloaded by the binary.
The DLL itself disables the Windows Update service and acts as a conduit for the donut loader, while various anti-analytical and anti-sandboxing checks are performed to ensure that the malware can run unhindered on the compromised host. The lander then injects the final ValleyRAT payload into the hollowed-out “explorer.exe” process.
ValleyRAT is designed to communicate with external servers and wait for further commands. It implements a plugin-oriented architecture that extends functionality in an ad-hoc manner, allowing operators to deploy specialized features that facilitate keylogging, credential collection, and defense evasion.
“Registry-resident plugins and delayed beacons allow the RAT to survive reboots while maintaining low noise,” CloudSEK said. “Delivery of on-demand modules enables targeted credential collection and monitoring tailored to victim roles and values.”
This disclosure comes after NCC Group announced that it had identified an exposed link management panel (“ssl3″).[.]Space”) is used by Silver Fox to track download activity related to malicious installers of popular applications such as Microsoft Teams in order to deploy ValleyRAT. This service hosts the following information:
Web pages that host backdoor installer applications Number of clicks received by the phishing site’s download button per day Cumulative number of clicks received by the download button since inception
Fake sites created by Silver Fox have been found impersonating CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, Youdao, and more. Analysis of the IP addresses from which download link clicks were made revealed that at least 217 clicks originated from China, followed by the United States (39), Hong Kong (29), Taiwan (11), and Australia (7).
“SilverFox used SEO poisoning to distribute backdoor installers for at least 20 widely used applications, including communication tools, VPNs, and productivity apps,” researchers Dillon Ashmore and Asher Grew said in a statement. “These primarily target Mandarin-speaking individuals and organizations within China, with infections dating back to July 2025, with additional victims occurring across Asia-Pacific, Europe, and North America.”
The ZIP archives distributed via these sites contain an NSIS-based installer that is responsible for configuring Microsoft Defender Antivirus exclusions, establishing persistence using scheduled tasks, and accessing remote servers to retrieve the ValleyRAT payload.
This finding is consistent with a recent report from ReliaQuest. The report alleges that the hacker group engaged in a false flag operation that used Teams-related lure sites to imitate Russian actors in attacks targeting Chinese organizations, in an attempt to complicate efforts to pinpoint the cause.
“Data from this panel shows hundreds of clicks from victims in mainland China and Asia Pacific, Europe and North America, demonstrating the scope of the campaign and its strategic targeting of Chinese-speaking users,” NCC Group said.
Source link
