Chinese Cybercrime Group Silver Fox Targets Indian Taxpayers with ValleyRAT Malware
A sophisticated and aggressive cybercrime group, known as Silver Fox, has shifted its focus to India, orchestrating cunning phishing campaigns that leverage income tax-themed lures. The objective: to distribute a potent modular remote access trojan (RAT) dubbed ValleyRAT, also identified as Winos 4.0.
Cybersecurity researchers at CloudSEK, Prajwal Awasthi and Koushik Pal, recently highlighted the intricate nature of these attacks. “This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” they noted in a recent analysis. The group, also tracked as SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne, has been active since 2022 and is notorious for its multi-pronged approach to cyber intrusion, encompassing espionage, intelligence gathering, financial gain, cryptocurrency mining, and operational disruption.
The Evolving Threat Landscape: Silver Fox’s Global Reach
While initially concentrating on Chinese-speaking individuals and organizations, Silver Fox’s victimology has expanded significantly. Its targets now include entities across public, financial, medical, and technology sectors globally. The group employs various attack vectors, including search engine optimization (SEO) poisoning and phishing, to deliver variants of Gh0st RAT, such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
Anatomy of an Attack: The ValleyRAT Kill Chain
CloudSEK’s documentation of the infection chain reveals a meticulously crafted process. The attack commences with phishing emails containing deceptive PDF attachments, masquerading as official communications from India’s Income Tax Department. Opening this seemingly innocuous PDF redirects the recipient to the domain “ggwk[.]cc,” from which a ZIP file, “tax affairs.zip,” is automatically downloaded.
Contained within this archive is a Nullsoft Scriptable Install System (NSIS) installer, also named “tax affairs.exe.” This installer then exploits a legitimate executable associated with Thunder (“thunder.exe”), a popular Windows download manager by Xunlei. Crucially, it sideloads a malicious DLL, “libexpat.dll.” This rogue DLL serves a dual purpose: it disables the Windows Update service and acts as a conduit for a Donut loader. Before executing its primary function, the DLL performs extensive anti-analysis and anti-sandbox checks, ensuring the malware can operate unimpeded on the compromised system. Subsequently, the Donut loader injects the final ValleyRAT payload into a hollowed “explorer.exe” process, establishing a stealthy and persistent presence.
ValleyRAT’s Deceptive Arsenal and Persistence
ValleyRAT is engineered for clandestine communication with an external command-and-control server, awaiting further instructions. Its plugin-oriented architecture allows for dynamic extension of its capabilities, enabling operators to deploy specialized modules for keylogging, credential harvesting, and sophisticated defense evasion techniques. CloudSEK emphasizes its resilience: “Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise.” This on-demand module delivery system facilitates targeted credential harvesting and surveillance, tailored to the victim’s role and value within an organization.
Beyond Phishing: SEO Poisoning and Broader Campaigns
Further insights from NCC Group reveal an exposed link management panel (“ssl3[.]space”) utilized by Silver Fox. This panel tracks download activity for malicious installers disguised as popular applications, including Microsoft Teams, all designed to deliver ValleyRAT. The service meticulously logs:
- Web pages hosting backdoor installer applications.
- Daily click counts on download buttons on phishing sites.
- Cumulative click counts since a download button’s launch.
Silver Fox has been observed impersonating a wide array of legitimate applications, including CloudChat, FlyVPN, Microsoft Teams, OpenVPN, Signal, Telegram, ToDesk, WPS Office, and Youdao, among others. An analysis of originating IP addresses clicking these malicious download links indicates a significant focus on China (217 clicks), followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7).
Researchers Dillon Ashmore and Asher Glue of NCC Group stated, “Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps.” These campaigns primarily target Chinese-speaking individuals and organizations, with infections dating back to July 2025 and additional victims spanning Asia-Pacific, Europe, and North America. The distribution mechanism involves ZIP archives containing NSIS-based installers that configure Microsoft Defender Antivirus exclusions, establish persistence via scheduled tasks, and fetch the ValleyRAT payload from remote servers.
The False Flag Factor: Complicating Attribution
These findings align with a recent report from ReliaQuest, which attributed Silver Fox to a false flag operation. The group reportedly mimicked a Russian threat actor in attacks targeting Chinese organizations, using Teams-related lure sites in an apparent attempt to complicate attribution efforts. “Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America, validating the campaign’s scope and strategic targeting of Chinese-speaking users,” NCC Group concluded, underscoring the sophisticated and evolving nature of Silver Fox’s operations.
For more details, visit our website.
Source: Link
