Ethical Hacking News
Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware: A Sophisticated Phishing Campaign Unfolds in Asia-Pacific Region
Silver Fox, a Chinese cybercrime group, has been linked to a sophisticated phishing campaign targeting Indian users with tax-themed emails. The emails deliver a modular remote access trojan called ValleyRAT, which provides keylogging, credential harvesting, and defense evasion capabilities. The attack uses search engine optimization (SEO) poisoning to distribute variants of Gh0st RAT, including ValleyRAT, compromising widely used applications. The phishing campaign uses decoy PDFs from India's Income Tax Department to deploy ValleyRAT. ValleyRAT has a plugin-oriented architecture, allowing its operators to deploy specialized capabilities tailored to victim roles and values. Silver Fox's attack scope has expanded beyond China, targeting organizations in Asia-Pacific, Europe, and North America. The group uses an exposed link management panel to track download activity related to malicious installers for popular applications.
In a recent development that has shed light on the evolving nature of cyber threats, a sophisticated phishing campaign spearheaded by the threat actor known as Silver Fox has been observed targeting Indian users with tax-themed emails. The emails deliver a modular remote access trojan called ValleyRAT (aka Winos 4.0), which is designed to provide its operators with an array of capabilities, including keylogging, credential harvesting, and defense evasion.
According to researchers at CloudSEK, the attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence on compromised hosts. The attack's sophistication lies in its ability to utilize search engine optimization (SEO) poisoning to distribute variants of Gh0st RAT, including ValleyRAT. This technique allows Silver Fox to compromise widely used applications, including communication tools, VPNs, and productivity apps.
The phishing campaign is notable for its use of income tax-themed lures, which are designed to lure victims into believing that the emails are coming from a legitimate source. The attackers have been observed using decoy PDFs purportedly from India's Income Tax Department to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the "ggwk[.]cc" domain, from where a ZIP file ("tax affairs.zip") is downloaded.
Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name ("tax affairs.exe"), which leverages a legitimate executable associated with Thunder ("thunder.exe"), a download manager for Windows developed by Xunlei. The installer also sideloads a rogue DLL called "libexpat.dll" that disables the Windows Update service and serves as a conduit for a Donut loader.
The loader performs various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. It then injects the final ValleyRAT payload into a hollowed "explorer.exe" process. ValleyRAT is designed to communicate with an external server and await further commands, implementing a plugin-oriented architecture to extend its functionality in an ad hoc manner.
This allows its operators to deploy specialized capabilities tailored to victim role and value. Registry-resident plugins and delayed beaconing enable the RAT to survive reboots while remaining low-noise. On-demand module delivery enables targeted credential harvesting and surveillance, further solidifying ValleyRAT's position as a formidable tool in the cyber threat landscape.
The attack has been linked to Silver Fox, an aggressive cybercrime group from China that has been active since 2022. The group has a track record of orchestrating various campaigns with motives ranging from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption.
Silver Fox's victimology has broadened over time, targeting primarily Chinese-speaking individuals and organizations in the public, financial, medical, and technology sectors. However, recent attacks have expanded its reach to include organizations operating in Asia-Pacific, Europe, and North America.
The disclosure comes as NCC Group identified an exposed link management panel ("ssl3[.]space") used by Silver Fox to track download activity related to malicious installers for popular applications, including Microsoft Teams. This service hosts information related to web pages hosting backdoor installer applications, the number of clicks a download button on a phishing site receives per day, and cumulative numbers of clicks a download button has received since launch.
The bogus sites created by Silver Fox have been found to impersonate CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao, among others. An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S., Hong Kong, Taiwan, and Australia.
According to researchers Dillon Ashmore and Asher Glue, Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps. These primarily target Chinese-speaking individuals and organizations in China, with infections dating back to July 2025 and additional victims across Asia-Pacific, Europe, and North America.
The findings coincide with a recent report from ReliaQuest, which attributed the hacking group to a false flag operation mimicking a Russian threat actor in attacks targeting organizations in China using Teams-related lure sites in an attempt to complicate attribution efforts.
Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America, validating the campaign's scope and strategic targeting of Chinese-speaking users. As concerns about cybersecurity threats continue to grow, it is imperative that individuals and organizations take proactive measures to protect themselves against such attacks.
By staying informed about emerging threats and understanding the tactics used by threat actors like Silver Fox, individuals can better equip themselves to navigate the complex landscape of cyber threats and protect their sensitive information from falling into the wrong hands.
Related Information:
https://www.ethicalhackingnews.com/articles/Silver-Fox-Targets-Indian-Users-With-Tax-Themed-Emails-Delivering-ValleyRAT-Malware-A-Sophisticated-Phishing-Campaign-Unfolds-in-Asia-Pacific-Region-ehn.shtml
https://thehackernews.com/2025/12/silver-fox-targets-indian-users-with.html
Published: Tue Dec 30 05:17:42 2025 by llama3.2 3B Q4_K_M
