• Posted by: Eng. Donya Bino
• December 30, 2025

Silver Fox Targets India

New research by CloudSEK has found that a Cybercrime Group linked to the Chinese Government, Silver Fox, has started Phishing Campaigns against target users in India via impersonating the Government's Income Tax Department while attempting to install a Modular Remote Access Trojan (RAT) called ValleyRAT or Winos 4.0.

Silver Fox has created an elaborate infection chain to maintain long-term access on compromised systems via a combination of social engineering, DLL Hijacking & stealth installation of their Malware. The Attack Group has used various names in the past including SwimSnake, Void Arachne, UTG-Q-1000, and 'The Great Thief of Valley'. They have been active since at least 2022 and is noted for having a multi-purpose operation depending on the target, whereas many Attack Groups are motivated by Financial Gain only.

Targeted Phishing Attacks from India
A number of targeted phishing emails from India send PDF attachments that appear to be official documents regarding the recipient's taxes. When the recipient opens the PDF, they are redirected to a malicious website, from which they then download a ZIP file called "tax affairs.zip".

This ZIP file contains an NSIS installer posing as a legitimate tax-related application. The NSIS installer performs DLL sideloading in order to load a trusted Windows file (Thunder) along with the malicious DLL. This technique allows the illicit software to operate without being detected by security measures instantly.

Loader Development to Continued Access
The first step in gaining continually access to a system is accomplished by loading the malicious DLL. This DLL disables Windows updating, runs environmental checks to bypass sandboxes, and executes a Donut-based loader. The actual VectorRAT malware is injected into the process of an idle explorer.exe file, which helps the malware to blend in with other normal system-generated activity.

VectorRAT malware has been designed to be plugin-driven in the way that allows attackers flexibility in deploying their specific functionality, such as keystroke logging, stealing credentials, clipboard tracking, or reconnaissance on the local host system. Persistence is sustained by utilization of registry-based plugins and delay in time to communicate with the command-and-control server, keeping the malware alive after rebooting while maintaining a low profile.

Fake Software Website and Poisoning of SEO
In addition to phishing emails, the Silver Fox group also makes use of SEO poisoning. Investigators from the NCC Group have uncovered that the Silver Fox group uses an exposed link management tool that tracks how victims respond to the fake download pages. The fake download pages have the look of legitimate applications, such as Microsoft Teams/Signal, VPN and Telegram, as well as other productivity type applications.

The telemetry data from the link management tool indicates that a total of hundreds of users worldwide have downloaded these applications through these pages, with most of them coming from China, but many also from the USA, Hong Kong, Taiwan, Australia, and other parts of the world—and thus indicating that this is a truly global operation.

The installers that are distributed from these pages use Microsoft Defender exclusions, create scheduled tasks to provide persistence, and then retrieve the ValleyRAT backdoor from the attackers' infrastructure.

In this regard, the complexities of the attribution process have been exacerbated by Silver Fox's recent operations to create false flags by acting like Russian-related actors utilizing the Teams-themed lure sites as a ploy to delay their attribution and hinder incident response efforts of those impacted by the attacks.

Importance of the campaign
The operations of Silver Fox are an example of how modern threat actors have amplified traditional malware techniques through web manipulation and the misuse of valid software, such as tax-tricking phishing scams, SEO poisoning, and the distribution of modular malware by multiple means to increase success in targeting non-technical individuals and business situations.

For organizations engaged in business in India and elsewhere, this campaign is a reaffirmation of the fact that phishing continues to be among the most reliable methods by which to gain initial access to sensitive information, particularly when combined with trusted names and legitimate software abuses.

Source: The Hacker News