Key Points

• The cybercrime group known as Silver Fox has shifted its focus to Indian users, using income tax-themed phishing emails to distribute the ValleyRAT remote access trojan.

• Silver Fox is a Chinese hacking group that has been active since 2022, targeting Chinese-speaking individuals and organizations initially, but has now expanded its victimology to include Indian users.

• The phishing emails contain malicious PDF attachments that lead victims to download a ZIP file containing the ValleyRAT malware, which has a modular architecture for features like keylogging and credential theft.

• In addition to phishing, Silver Fox has also leveraged search engine optimization (SEO) poisoning to distribute backdoor installers disguised as popular applications like communication tools, VPNs, and productivity apps.

• Victims have been identified across Asia-Pacific, Europe, and North America, highlighting the widespread impact of this sophisticated attack campaign.

Background

Silver Fox is an aggressive cybercrime group from China that has been active since 2022. The group's modus operandi includes a variety of campaigns ranging from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption. This makes Silver Fox one of the few hacking crews with a multi-pronged approach to their intrusion activity.

Historically, Silver Fox has primarily targeted Chinese-speaking individuals and organizations, but the group has now expanded its focus to include Indian users as well. The threat actor's latest campaign leverages income tax-themed phishing emails to deliver the ValleyRAT remote access trojan (RAT) to its victims.

Phishing Lures and Infection Chain

The phishing emails used by Silver Fox purport to be from India's Income Tax Department, containing malicious PDF attachments. When the victim opens the PDF, they are redirected to a domain ("ggwk[.]cc") where a ZIP file ("tax affairs.zip") is downloaded. This ZIP file contains a Nullsoft Scriptable Install System (NSIS) installer ("tax affairs.exe") that, in turn, utilizes a legitimate executable associated with the Thunder download manager and a rogue DLL ("libexpat.dll") to deploy the final ValleyRAT payload.

The DLL performs various anti-analysis and anti-sandbox checks before injecting the ValleyRAT payload into a hollowed "explorer.exe" process. ValleyRAT is designed to communicate with an external server and await further commands, implementing a plugin-oriented architecture to extend its functionality, enabling capabilities such as keylogging, credential harvesting, and defense evasion.

SEO Poisoning and Wider Victimology

In addition to the phishing campaign, Silver Fox has also been found to engage in search engine optimization (SEO) poisoning to distribute backdoor installers disguised as legitimate applications. These malicious installers have impersonated a wide range of popular software, including communication tools, VPNs, and productivity apps.

An analysis of the origin IP addresses that have clicked on the download links revealed that the majority of the clicks originated from China, followed by the U.S., Hong Kong, Taiwan, and Australia, indicating the campaign's broader reach across Asia-Pacific, Europe, and North America.

Mitigation and Recommendations

To protect against phishing attacks and malware distribution campaigns like those carried out by Silver Fox, individuals and organizations should:

• Be cautious of unsolicited emails, especially those related to sensitive topics like taxes

• Verify the legitimacy of any PDF attachments or download links before interacting with them

• Implement robust endpoint protection and security monitoring solutions to detect and prevent the deployment of remote access trojans

• Regularly update software and operating systems to mitigate vulnerabilities that could be exploited by threat actors

• Educate employees on the latest phishing and social engineering tactics to increase awareness and vigilance

By staying informed about the evolving tactics of cybercrime groups like Silver Fox and adopting a proactive approach to cybersecurity, users and organizations can better defend against these sophisticated and wide-reaching attacks.

Sources

• https://thehackernews.com/2025/12/silver-fox-targets-indian-users-with.html

• https://www.reddit.com/r/pwnhub/comments/1pzndkj/silver_fox_targets_indian_users_with_taxthemed/