known as threat actor silver fox has turned its attention to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka WinOS 4.0).
“This sophisticated attack leverages a complex kill chain involving DLL hijacking and modular Valley RATs to ensure persistence,” CloudSEEK researchers Prajwal Awasthi and Kaushik Pal said in an analysis published last week.
Also tracked as Swimsnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name given to an aggressive cybercrime group from China that has been active since 2022.
It has a track record of conducting a variety of campaigns aimed at espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to its infiltration activity.
Focused primarily on Chinese-speaking individuals and organizations, Silver Fox’s victimology has expanded to include organizations working in the public, financial, medical, and technology sectors. Attacks by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of the GH0ST RAT, such as ValleyRAT, GH0STKING, and HoldingHands RAT (aka GH0STBins).
In the infection chain documented by CloudSEK, phishing emails containing fake PDFs purporting to be from the Income Tax Department of India are used to deploy ValleyRAT. Specifically, opening a PDF attachment will result in the recipient “ggwk[.]cc” domain, from where a zip file (“Tax Affairs.zip”) is downloaded.
Within the archive is present a NullSoft Scriptable Install System (NSIS) installer of the same name (“Tax Affairs.exe”), which, in turn, leverages a legitimate executable associated with Thunder (“Thunder.exe”), a download manager for Windows developed by Xunlei, and a rogue DLL (“libexpat.dll”) that is sideloaded by the binary.
The DLL, for its part, disables the Windows Update service and acts as a conduit for the Donut Loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unhindered on the compromised host. The lander then injects the final ValleyRAT payload into a hollow “explorer.exe” process.
ValleyRAT is designed to communicate with an external server and wait for further commands. It implements a plugin-oriented architecture to extend its functionality in an ad-hoc manner, allowing its operators to deploy special capabilities to facilitate keylogging, credential harvesting, and defense evasion.
“Registry-resident plugins and delayed beaconing allow RAT to survive reboots while remaining low-noise,” CloudSEEK said. “On-demand module delivery enables targeted credential harvesting and monitoring tailored to the victim’s role and value.”
The disclosure comes as NCC Group said it has identified an exposed link management panel (“ssl3[.]space”) is used by Silver Fox to deploy ValleyRAT to track download activity related to malicious installers for popular applications, including Microsoft Teams. The service hosts information related to –
- Web pages hosting backdoor installer applications
- Number of clicks per day on the download button on a phishing site
- Cumulative number of clicks the download button has received since launch
Fake sites created by Silver Fox have been found impersonating CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QiQi, Sentiao, Signal, Sigua, Snipest, Sogou, Telegram, TwoDesk, WPS Office, and Youdao, among others. Analysis of the originating IP addresses that clicked the download link showed that at least 217 clicks came from China, followed by the US (39), Hong Kong (29), Taiwan (11), and Australia (7).
“Silver Fox leveraged the SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communications tools, VPNs, and productivity apps,” researchers Dillon Ashmore and Asher Glu said. “These primarily target Chinese-speaking individuals and organizations in China, with infections expected by July 2025, and additional victims in Asia-Pacific, Europe and North America.”
Distributed through these sites is a zip archive that contains an NSIS-based installer that is responsible for configuring Microsoft Defender Antivirus exclusions, installing persistence using scheduled tasks, and then accessing a remote server to fetch the ValleyRAT payload.
The findings match a recent report from ReliaQuest, in which the hacking group was attributed to a false flag operation that mimicked a Russian threat actor in attacks targeting organizations in China using Teams-related lure sites in an attempt to complicate attribution efforts.
“Data from this panel shows hundreds of clicks from victims in mainland China and Asia-Pacific, Europe and North America, validating the scope of the campaign and the strategic targeting of Chinese-speaking users,” NCC Group said.
