Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Silver Fox, a Chinese-aligned advanced persistent threat group also known as Void Arachne, has executed a highly sophisticated phishing campaign against Indian organizations in December 2025 by impersonating official Income Tax Department communications. This Silver Fox cyber espionage operation represents the first confirmed instance of tax-themed phishing being attributed to the Silver Fox threat actor group, marking a significant tactical evolution in their targeting of Indian enterprises.
The Silver Fox attack campaign deploys the modular ValleyRAT malware through a carefully orchestrated multi-stage infection chain designed for stealth and persistence on compromised Windows systems. Silver Fox operatives utilize phishing emails carrying malicious PDFs crafted to resemble legitimate tax communications from India’s Income Tax Department. The Silver Fox ValleyRAT deployment leverages advanced techniques including registry-based persistence mechanisms, tiered command-and-control infrastructure with failover capabilities, and a plugin-driven architecture enabling credential theft, keylogging, and sophisticated defense evasion.
The Silver Fox Indian campaign specifically targets enterprise, finance, medical, and technology sectors across India, demonstrating the threat actor’s strategic focus on high-value organizations. The ValleyRAT malware deployed by Silver Fox utilizes Donut loaders, DLL hijacking, Windows Update disablement, and process hollowing techniques to maintain covert presence on victim systems. This Silver Fox operation underscores the group’s high operational maturity and evolving cyber-espionage capabilities targeting Indian critical infrastructure and sensitive sectors.
Silver Fox, the Chinese-aligned advanced persistent threat group, executed a highly refined phishing operation against Indian organizations by masquerading as legitimate correspondence from India’s Income Tax Department. This Silver Fox tax-themed phishing activity marks the first confirmed instance of tax-themed social engineering being attributed to the Silver Fox APT group, representing a significant tactical shift in their Indian targeting operations.
The Silver Fox operation unfolds as a carefully staged intrusion designed for stealth and long-term persistence on compromised Indian enterprise systems. Silver Fox operatives initiate the attack with convincing phishing emails carrying malicious PDFs meticulously crafted to resemble official tax communications from India’s Income Tax Department. When targeted Indian users open the Silver Fox phishing document, it silently initiates the download of a rogue executable named “tax affairs.exe” packaged as a Nullsoft Scriptable Install System installer, serving as the critical entry point for the Silver Fox ValleyRAT deployment.
From the initial Silver Fox compromise, the campaign escalates through a sophisticated multi-stage infection chain demonstrating advanced adversary tradecraft. The Silver Fox installer exploits DLL hijacking techniques within legitimate software to evade detection, strategically disables Windows Update functionality to weaken host defenses and prevent security patching, and deploys a Donut loader only after conducting extensive anti-analysis and anti-sandbox checks to ensure the Silver Fox malware is operating in a genuine victim environment rather than a security research sandbox.
The Silver Fox malware then employs process hollowing techniques to inject its final ValleyRAT payload into legitimate Windows processes, effectively concealing the Silver Fox malicious presence from traditional security monitoring tools. This Silver Fox process injection approach enables the threat actor to execute malicious code within the security context of trusted system processes.
At the core of the Silver Fox intrusion is ValleyRAT, a modular remote access trojan specifically engineered for persistence and operational adaptability. The Silver Fox ValleyRAT maintains covert communication with external command-and-control servers built with tiered infrastructure architecture and failover resilience capabilities, ensuring Silver Fox operators maintain persistent access even if primary C2 servers are disrupted or blocked.
The Silver Fox ValleyRAT plugin-based design allows Silver Fox operators to selectively deploy specific capabilities tailored to each compromised Indian organization, including keylogging for credential capture, comprehensive credential theft from browsers and applications, and advanced defense evasion techniques. This modular Silver Fox architecture ensures sustained and flexible control over compromised Indian systems while minimizing the malware footprint and reducing detection probability during the Silver Fox cyber-espionage operations.
Implement continuous monitoring specifically targeting executable REG_BINARY values and anomalous registry entries under non-standard Windows registry paths such as HKCU\Console*, with particular scrutiny on registry keys written by user-level processes rather than trusted system components. Silver Fox leverages registry-based persistence as a primary mechanism for maintaining long-term access to compromised Indian systems.
Correlate execution of signed executables launched from temporary or user-writable directories with the loading of unsigned local DLLs, particularly when followed by immediate thread creation or abnormal execution flow patterns characteristic of Silver Fox operations. This detection approach identifies Silver Fox DLL hijacking attempts used to execute ValleyRAT while evading application whitelisting and signature-based detection.
Alert on processes allocating PAGE_EXECUTE_READWRITE memory permissions followed by remote or local thread creation, especially when these suspicious actions occur inside normally benign processes such as explorer.exe. This detection strategy identifies Silver Fox process hollowing and in-memory payload staging techniques used to inject ValleyRAT into legitimate Windows processes.
Deploy endpoint detection and response tools specifically tuned to identify Silver Fox tradecraft including DLL sideloading and process injection attempts characteristic of ValleyRAT deployment. Monitor for suspicious persistence methods employed by Silver Fox including Windows services, scheduled tasks, and registry entries. Inspect network traffic for command-and-control activity patterns associated with Silver Fox ValleyRAT infrastructure, focusing on the tiered C2 architecture with failover capabilities used by this threat actor group.
SHA256 Hashes:
Malicious Domains: ggwk[.]cc, b[.]yuxuanow[.]top, itdd[.]club, xzghjec[.]com, gov-a[.]work, gov-a[.]fit, gvo-b[.]club, gov-c[.]club, gov-a[.]club, govk[.]club, dingtalki[.]cn, hhiioo[.]cn, kkyui[.]club, hhimm[.]work, swjc2025bjkb[.]cn, 2025swmm[.]cn, hhiioo[.]work
C2 IP Addresses: 45[.]207[.]231[.]94, 103[.]20[.]195[.]147, 45[.]207[.]231[.]107, 8[.]217[.]9[.]165, 160[.]124[.]9[.]103, 47[.]239[.]225[.]43, 43[.]100[.]22[.]158, 43[.]100[.]123[.]207, 43[.]100[.]63[.]145
Get through updates and upcoming events, and more directly in your inbox