Since early 2025, China-based intrusion set Silver Fox has combined APT-style operations (using modular backdoors like ValleyRAT and HoldingHands) with opportunistic financially motivated campaigns across South Asia. The group evolved delivery from malicious PDFs and DLL side-loading to abusing a misconfigured Chinese RMM tool and a compiled Python stealer that exfiltrates data to xqwmwru[.]top. #SilverFox #ValleyRAT
Keypoints
- Silver Fox (aka Void Arachne) pivoted from purely financial campaigns to a dual model combining APT-like espionage and profit-driven operations since 2024–2025.
- The group’s primary modular backdoor is ValleyRAT (aka Winos); despite the ValleyRAT builder leak in March 2025, Silver Fox continued to use and extend it with sophisticated plugins and kernel-mode components.
- Delivery mechanisms evolved across three waves (2025–2026): tax-themed PDF attachments with DLL side-loading, abusing a legitimate but misconfigured Chinese RMM tool, and a compiled Python stealer masquerading as WhatsApp.
- Campaigns used culturally relevant tax/payroll lures and SEO poisoning to broaden victimology across Taiwan, China, Japan, Malaysia, Indonesia, Singapore, Thailand, the Philippines, and India.
- Silver Fox abused a Microsoft-signed driver (amsdk.sys) to bypass the Vulnerable Driver Blocklist and deployed kernel-mode rootkits for persistence and stealth.
- Indicators include multiple phishing domains, RMM-dropping archive hashes, C2 IPs and domains (e.g., xqwmwru[.]top), and distinct on-disk artefacts like C:WhatsAppBackupWhatsAppData.zip.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Used to deliver malicious PDFs that trigger the infection chain (“…the campaign impersonating national taxation authorities… open the PDF file the execution of malicious payload begins”).
- [T1566.002] Spearphishing Link – Phishing emails embedding links to fake tax websites that prompt victims to download archives or executables (“…embedded the link to the fake Tax phishing website in the mail body”).
- [T1189] Drive-by Compromise (SEO poisoning) – SEO poisoning to drive traffic and distribute payloads via malicious ads/Telegram (“…SEO poisoning via gaming or AI-related applications, or fake VPN software”).
- [T1574.002] DLL Side-Loading – DLL side-loading was used to execute ValleyRAT from malicious PDFs (“…deliver ValleyRAT using DLL side-loading”).
- [T1218] Signed Binary Proxy Execution – Abuse of a Microsoft-signed driver (amsdk.sys) to bypass driver blocklists and evade detection (“…abuse of a Microsoft-signed driver, amsdk.sys, to bypass Microsoft Vulnerable Driver Blocklist”).
- [T1014] Kernel Modules and Extensions – Deployment of a kernel-mode rootkit for persistence and intelligence collection (“…using kernel-mode rootkit likely for intelligence collection”).
- [T1041] Exfiltration Over C2 Channel – Stealer uploads collected artifacts to HTTP(S) endpoints on its C2 (e.g., “https://xqwmwru[.]top/upload_large.php”) (“…collects multiple artefact of interest on the infected device and uploads them to its C2 that is xqwmwru[.]top”).
Indicators of Compromise
- [Domains] phishing and C2 infrastructure – googlevip[.]icu, xqwmwru[.]top, and many other phishing domains (see list of dozens of domains in report).
- [IP Addresses] hosting and C2 servers – 154[.]201[.]87[.]75 (phishing website), 154[.]201[.]87[.]124 (C2), and Annex 2 list of multiple IPv4 addresses including 45[.]119[.]55[.]66.
- [File Hashes] archives dropping RMM tool – example hash 055c3fff8f1f58a41e7571b9bd7ebf4b1b10ba5231f1ffbcb47e0307d7ff6072, 06ecf34ecf1f3f56a1760b8757b978d6bd859adcf699af4adfbeb0982e41282a, and 20+ additional hashes listed.
- [Filenames / Executables] dropped payload names and installers – python311.dll, 查看10.exe, and RMM filename pattern “[ipv4]ClientSetup.exe” (example: 45.119.55.]66ClientSetup.exe).
- [URLs / Endpoints] stealer C2 endpoints – https://xqwmwru[.]top/upload_large.php, https://xqwmwru[.]top/upload_status.php, and https://xqwmwru[.]top/admin/login.php.
- [On-host artefacts] file paths and artifacts left by stealer – C:WhatsAppBackupWhatsAppData.zip and %TEMP%whatsapp_backup.lock.
Read more: https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/