Threat Research

APT Profile – Silver Fox

Cyfirma
APT Profile – Silver Fox
Silver Fox has been active since at least 2019–2020 and has evolved into a highly adaptive espionage-focused threat actor using customized malware, phishing, and trusted software abuse to gain long-term access. Its campaigns have expanded across the APAC region and beyond, targeting strategic sectors while using tools such as ValleyRAT, Gh0st RAT, HoldingHands RAT, and ABCDoor. #SilverFox #ValleyRAT #Gh0stRAT #HoldingHandsRAT #ABCDoor

Keypoints

  • Silver Fox has been active since at least 2019–2020 and remains highly active with evolving tactics and tooling.
  • The group targets government, critical infrastructure, enterprise, telecommunications, technology, defense-related, and other strategic organizations.
  • Recent campaigns use customized malware frameworks, loaders, and remote access tools to maintain persistent access.
  • Initial access often relies on spear-phishing attachments, spear-phishing links, malicious documents, and impersonation.
  • Silver Fox increasingly abuses trusted software ecosystems, update channels, and third-party service providers to deliver malware and evade defenses.
  • The actor emphasizes credential theft, privilege escalation, stealth, and multi-stage intrusion chains to expand access and sustain operations.
  • Its operational footprint has expanded across multiple countries in the APAC region, alongside other regions such as Russia and South Africa.

MITRE Techniques

  • [T1566.001] Phishing: Spear Phishing Attachment – Used to deliver malicious attachments to victims and gain initial access (‘spear-phishing campaigns, malicious attachments’).
  • [T1566.002] Phishing: Spear Phishing Link – Used to lure targets into opening weaponized links for compromise (‘spear-phishing campaigns’).
  • [T1204.002] User Execution: Malicious File – Victims are tricked into opening malicious files to trigger execution (‘weaponized documents’).
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Used for execution and persistence through scheduled tasks (‘Scheduled Task’).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used to run commands during intrusion activity (‘Windows Command Shell’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used for execution and post-compromise activity (‘PowerShell’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Used to persist across reboots and logons (‘Registry Run Keys / Startup Folder’).
  • [T1546] Event Triggered Execution – Used to trigger malware or actions based on system events (‘Event Triggered Execution’).
  • [T1497] Virtualization/Sandbox Evasion – Used to evade analysis and detection in sandboxed environments (‘Virtualization/Sandbox Evasion’).
  • [T1027] Obfuscated Files or Information – Used to hide malware behavior and payload details (‘Obfuscated Files or Information’).
  • [T1016] System Network Configuration Discovery – Used to learn network settings and environment details (‘System Network Configuration Discovery’).
  • [T1082] System Information Discovery – Used to collect information about infected hosts (‘System Information Discovery’).
  • [T1113] Screen Capture – Used to capture screenshots from victim systems (‘Screen Capture’).
  • [T1115] Clipboard Data – Used to steal clipboard contents from compromised endpoints (‘Clipboard Data’).
  • [T1071.001] Application Layer Protocols: Web Protocols – Used for command-and-control traffic over web protocols (‘Web Protocols’).
  • [T1105] Ingress Tool Transfer – Used to transfer additional tools and payloads into the victim environment (‘Ingress Tool Transfer’).
  • [T1041] Exfiltration Over C2 Channel – Used to send stolen data out through command-and-control communications (‘Exfiltration Over C2 Channel’).

Indicators of Compromise

  • [Malware names ] malware families associated with Silver Fox – ValleyRAT, Gh0st RAT, and other 2 items
  • [Threat actor aliases ] alternate names used for the group – Void Arachne, SwimSnake, and other 3 items
  • [Targeted software / technologies ] platforms and applications mentioned as targeted or abused – Sogou AI, Telegram, and other 6 items
  • [Countries ] geographic targeting scope – Brunei, Cambodia, and other 14 items
  • [Network / protocol artifacts ] command-and-control and transfer channels referenced – Web protocols, C2 channel

Read more: https://www.cyfirma.com/research/apt-profile-silver-fox/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint