Cybersecurity researchers have identified a new phishing campaign targeting users in India, carried out by the China-linked threat actor known as Silver Fox. The operation uses income tax related email lures to distribute ValleyRAT, a modular remote access trojan also referred to as Winos 4.0.
According to an analysis published by CloudSEK, the attack relies on a multi-stage kill chain that combines DLL hijacking techniques with a modular malware framework to maintain long-term persistence on infected systems. Researchers Prajwal Awasthi and Koushik Pal described the campaign as a highly structured operation designed to evade detection while enabling flexible post-compromise activity.
Silver Fox, also tracked under names such as SwimSnake, The Great Thief of Valley, Valley Thief, UTG-Q-1000, and Void Arachne, has been active since 2022. The group is known for running diverse campaigns that support espionage, intelligence gathering, financial crime, cryptocurrency mining, and operational disruption.
Expanding Target Scope
While Silver Fox initially focused on Chinese-speaking individuals and organizations, its targeting has expanded to include entities across the public, financial, healthcare, and technology sectors. Previous campaigns attributed to the group have relied on phishing and search engine optimization poisoning to distribute malware families derived from Gh0st RAT, including ValleyRAT, Gh0stCringe, and HoldingHands RAT (also known as Gh0stBins).
In the India-focused campaign documented by CloudSEK, victims receive phishing emails posing as official communications from the Indian Income Tax Department. These messages contain PDF attachments that act as decoys. Opening the PDF redirects users to the domain ggwk[.]cc, from which a ZIP archive named tax affairs.zip is downloaded.
Technical Infection Chain
Inside the archive is an NSIS installer called tax affairs.exe. This installer abuses a legitimate Windows executable, thunder.exe, associated with the Thunder download manager developed by Xunlei. The binary sideloads a malicious DLL named libexpat.dll, allowing the attackers to execute their payload without raising immediate suspicion.
The rogue DLL disables the Windows Update service and functions as a loader for additional malware components. Before proceeding, it performs multiple anti-analysis and anti-sandbox checks to confirm it is running on a real system. The final ValleyRAT payload is then injected into a hollowed explorer.exe process.
Once deployed, ValleyRAT establishes communication with a remote command server and waits for instructions. Its plugin-based architecture allows operators to selectively load modules for tasks such as keylogging, credential theft, surveillance, and defense evasion.
CloudSEK noted that registry-based plugins and delayed beaconing mechanisms help the malware survive system reboots while keeping network noise low. Modules are delivered on demand, enabling targeted monitoring based on the victim’s role and perceived value.
Infrastructure and Distribution Insights
The disclosure coincides with findings from NCC Group, which uncovered an exposed link management panel at ssl3[.]space used by Silver Fox to track downloads of malicious installers. The panel provides visibility into hosting pages, daily and cumulative download clicks, and campaign performance metrics.
Bogus websites associated with the group impersonate a wide range of legitimate software and services, including CloudChat, FlyVPN, Microsoft Teams, OpenVPN, Signal, Telegram, WPS Office, and others. Analysis of download activity revealed at least 217 clicks originating from China, followed by activity from the United States, Hong Kong, Taiwan, and Australia.
According to NCC Group researchers Dillon Ashmore and Asher Glue, Silver Fox has used SEO poisoning to distribute backdoored installers for more than 20 popular applications. While the primary focus remains Chinese-speaking users in China, infections have been observed across Asia-Pacific, Europe, and North America since mid 2025.
The ZIP files distributed through these fake sites contain NSIS installers that configure Microsoft Defender exclusions, establish persistence via scheduled tasks, and retrieve the ValleyRAT payload from a remote server.
Attribution Challenges
The findings align with a separate report from ReliaQuest, which suggested that Silver Fox has engaged in false flag activity by imitating Russian threat actor tradecraft. These efforts were observed in campaigns targeting organizations in China using Microsoft Teams themed lure sites, likely intended to complicate attribution.
NCC Group stated that telemetry from the exposed panel confirms the campaign’s broad reach and deliberate targeting strategy, underscoring the continued evolution of Silver Fox operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
