The SilverFox actor has conducted a large-scale, ongoing malware delivery campaign since June 2023, primarily targeting Chinese-speaking users with Windows-specific malware through fake applications and spoofed login pages. The actor’s operations have evolved to include anti-automation defenses and increased server distribution, with over 2,800 domains created and 266 active domains as of June 2025. #SilverFox #googeyxvot #yeepays #coinbaw
Keypoints
- The SilverFox actor has created more than 2,800 domains since June 2023, using fake app download sites and spoofed login pages to distribute Windows malware.
- Malware delivery includes deceptive fake Gmail login and Alipay checkout pages, and fake cryptocurrency exchange sites like coinbaw[.]vip.
- Operational changes include adding anti-automation and browser emulation code, reducing site tracker services, increasing server distribution, and using discreet registration details.
- Malicious files include executables like svchost.13.exe acting as downloaders and payloads encrypted with XOR keys, delivered via malicious .msi and .zip installers.
- Domain registration and resolution activities mostly occur during Chinese working hours, indicating possible coordinated human and automated activity.
- The campaign likely aims at credential theft, financial fraud, and possibly brokering access through targeting Chinese-speaking sales and marketing professionals.
- Recommended defenses include browser protection features, user awareness training, enhanced email/web gateway security, endpoint detection and response, network monitoring, and enforcing MFA.
MITRE Techniques
- [T1071] Application Layer Protocol – The actor uses HTTPS downloads from malicious domains to fetch payloads, e.g., “retrieving a file from URL https[:]//ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt”.
- [T1105] Ingress Tool Transfer – The downloader executable svchost.13.exe fetches additional components from remote servers (“acts as a downloader, fetching a file…”).
- [T1204] User Execution – Delivery relies on user interaction with fake login pages and prompts to download and run malicious files (“any input on its fake login page triggers a deceptive browser incompatibility error, prompting a malicious update download”).
- [T1566] Phishing – Use of fake Gmail login pages, fake Alipay checkout pop-ups, and fake cryptocurrency exchange sites to deceive users into credential or malware installation compromise.
- [T1497] Virtualization/Sandbox Evasion – The addition of anti-automation and browser emulation code to hinder site scanners demonstrates evasion tactics (“anti-automation and browser emulation checks”).
Indicators of Compromise
- [Domain] Malware delivery and phishing sites – googeyxvot[.]top, yeepays[.]xyz, coinbaw[.]vip
- [File Hash] Malicious MSI installers and executables – svchost.13.exe SHA256: zf1b6d793331ebd0d64978168118a4443c6f0ada673e954df02053362ee47917b, flashcenter_pl_xr_rb_165892.19.exe SHA256: 1c957470b21bf90073c593b020140c8c798ad8bdb2ce5f5d344e9e9c53242556
- [File Hash] Malicious payload text file – SHA256: e9ba441b81f2399e1db4b86e1fe301aaf2f11d3cf085735a55505873c71cbc6f
- [File Name] Malicious executable – “收银台权限.exe” downloaded from yeepays[.]xyz with SHA256: 21a0b62adc71b276a5bc8a3170ab6e315ac2c0afe8795cfeade8461f00a804d2
Read more: https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii/