The Silver Fox APT group employs a sophisticated, hybrid distribution strategy to maximize the reach of their custom-built ValleyRAT trojan, primarily aimed at Chinese-speaking victims. Rather than relying on a singly infection method, the group employs a multi-medium strategy to achieve both precision and scale.

On one front, Silver Fox executes highly targeted phishing operations, carefully timed to coincide with regional tax deadlines in Southeast Asia. Simultaneously, they operate widespread malvertising campaigns intended to infect Chinese-speaking users seeking to download trusted utilities such as Zoom, ToDesk and Notepad++. This duality enables the group to pursue specific high-value targets while passively accumulating a broader victim pool.

This blog analyses the technical, multi-stage infection chains observed in recent attacks – ranging from opportunistic infections via trojanised installers to targeted corporate tax -themed phishing.  

Casting a Wide Net: Opportunistic Infection via Watering Hole Attacks

Silver Fox has conducted multiple watering hole attacks since 2023, weaponising trusted brands to deliver their final-stage payload, ValleyRAT. These campaigns leverage trojanised installers impersonating widely used applications, promoted via malicious advertisements (malvertising) for opportunistic, widespread infection.

Infection Chain 1: The Trojanised Zoom Installer

Initially, we observed Silver Fox pushing trojanised versions of the Zoom installers; resulting in a multi-stage infection flow to deploy the final ValleyRAT payload.

During its installation process, the dropped MSI file loads a malicious DLL file, EnumW.dll (c23b2ca4318d65734d545de49623c158b7f995cfaf627ab57fff5ef836dc2975).

Upon being loaded, EnumW.dll drops multiple encrypted files to %Programdata%\Data_Xowlls\temp_data_{1-55}, and subsequently decrypts each file via a custom XOR routine and concatenates the decrypted data into an archive file; ProgramData%\emoji.dat (0be98eebe044dab704e435a1cd71f348e31508b8c423e7bc09ba84f113a000d1).

The malware then extracts the contents of this archive; a collation of benign system files, shellcode, and a malicious DLL. 

It then executes the legitimate file edr09.exe, which is vulnerable to DLL sideloading, to load the malicious file vsdtdib.dll. The DLL drops another archive file, C:\Users\{user}\resource.dat:

Subsequently, it reads the shellcode from C:\Users\{user}\zndiouasnd{9 random number}\emjio.tmp and creates the following registry:

• Key: HKCU\Software\DeepSer
  • Data: OpenAi_Service
    • Value:  %appdata%\Nxonq1284_QUC\rhabarbaric.exe
  • MyData
    • Value: {shell code}
  • Onload1
    • Value: C:\Users\{user}\zndiouasnd{9 random number}\edr09.exe

To establish persistence, the payload modifies the Startup registry value in  “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup” to “C:\ProgramData\Venlnk\”. This ensures its components are automatically executed at startup.

It subsequently drops the following LNK file; C:\ProgramData\Venlnk\GooglUpdata.lnk – a shortcut LNK that executes %appdata%\Nxonq1284_QUC\rhabarbaric.exe.

Finally, the malware creates an explorer.exe process in a suspended state and injects the malicious shellcode stored in the registry (HKCU\Software\DeepSer\MyData) via process hollowing.

This complex chain results in the delivery and execution of the final-stage payload, ValleyRAT, which then attempts to establish connection to the attacker-controlled C2 server (154.82.85[.]102:5178).

Infection Chain 2: The Malicious ToDesk Installer

In another campaign, we observed the delivery of ValleyRAT via a trojanised installer for ToDesk, a remote desktop application popular in Chinese-language communities. The use of this software and phishing content written in Simplified Chinese indicates this campaign specifically targeted Chinese-speaking users.

Upon execution, the malware runs the following commands to exclude its directories from antivirus scanning and to execute a malicious DLL:

cmd.exe /C powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath C:\, D:\;

rundll32.exe  C:\Users\infect_Win7\AppData\Roaming\TrustAsia\intel.dll,DllRegisterServer

The malicious DLL (intel.dll – 5515b1dd851a6817b1923116bcb5cda3d23e7eec) reads shellcode from a local configuration file (Config2.json or Config.json) in the current directory and proceeds to attempt connection to  161.248.15[.]109:18852 to retrieve the final payload. Notably, we observed intel.dll signed by 湖南南澳网络科技有限公司; an organisation repeatedly associated with infrastructure serving other malware strains, such as PlugX and malicious Android Package Kit (APK) files.

The C2 server responds with a shellcode that contains the final payload, ValleyRAT.

Upon retrieval and execution, ValleyRAT establishes connection to its primary C2 (161.248.15[.]109:5050) and awaits further commands from the actor.

Infection Chain 3: Notepad++

Most recently, we tracked an ongoing campaign delivering ValleyRAT via a trojanised Notepad++ installer. Whilst the language options indicate continued targeting against Chinese-speaking audiences, we observe via the availability of English as well as telemetry data that the infrastructure associated with the active campaign has reached international audiences.

Silver Fox’s Regional Tax Tour

In parallel, during our routine threat hunting for active phishing campaigns targeting Hong Kong citizens, we uncovered a more deliberate strategy behind ValleyRAT distribution. Differing from the wide-net, opportunistic approach seen with the trojanised Zoom and ToDesk installers, this vector demonstrated a level of precision and forethought indicative of a more sophisticated operation.

Instead of targeting individual users, these campaigns were meticulously crafted to infiltrate specific corporate entities. By spoofing regional government tax authorities and creating highly convincing lures themed around urgent tax compliance matters, Silver Fox aimed its attacks directly at employees in finance or compliance roles. This tactic was designed to pressure these specific personnel into taking immediate action, effectively bypassing typical user skepticism and leading directly to the compromise of high-value corporate networks for the likely purpose of espionage or financial theft.

Infection Chain 4: The Tailored Tax Lures

In October 2025, Silver Fox actively spoofed the Hong Kong Inland Revenue Department (HKIRD), which led us to identify additional phishing sites impersonating Singapore’s Inland Revenue Authority (IRAS). Notably, both sets of sites were  hosted via the same IP address 154.9.24[.]93, suggesting a coordinated campaign operating within the same attack window.

Victims were directed to these sites via phishing emails containing a PDF claiming in the country’s native language: “Translated: This notice informs you that your company must complete all compliance matters required by the above notice within three [3] days of receiving this letter”.

Clicking on the embedded link directs the victim to their malicious domain (hxxp[:]//zhenkinyszd[.]host), which then redirects the victim to a Chinese cloud storage platform, vip.123pan[.]cn.

The victim downloads the shared archive file (7e5552daba7a05f26ee5ac22d22ff09f8087d8cf63e2e972d7235e31237b9a24), which contains the ValleyRAT malware binary disguised as   “審核通告.exe (translated: audit.exe)” (af95ba66cde0562bbe69a4fef1e37916f2e1e6226f98052c9044732ca423eb08).

The Payload: A Closer Look at ValleyRAT

The primary payload delivered in these campaigns is ValleyRAT (a.k.a. WinOS), a multi-stage Windows-based Remote Access Trojan (RAT). First observed in early 2023, ValleyRAT has undergone multiple enhancements, exhibiting advanced evasion mechanisms and several functions for full system control. ValleyRAT is reported to be developed and exclusively used by the Silver Fox APT group to facilitate long-term persistence and data exfiltration.

The malware leverages a multi-layered infection chain, evidenced above, to maximise stealth. Once executed, ValleyRAT establishes a connection to its C2 servers, and extracts the following system information:

• /config/info
• /api/encrypt/_rsa_public_key
• /api/filedistribution/_file_distribution_by_uid
• /api/encrypt/_secret_key
• /operation/terminal_load
• /terminal/info
• /flow/is_approver
• /flow_task_notice/_real_notice_by_uid
• /work_order_notice/_all_notice_by_user
• /task_manager/_all_task_manager_pending
• /config/info
• /monitor/record
• /terminal/basicinfo
• /terminal/packedinfo
• /app/iconset

With an established foothold, it grants the attacker extensive control over the compromised host, including:

• Reconnaissance: Harvesting system information, user lists, and installed software.
• Keylogging: Taking screenshots, screen recording, and capturing keystrokes.
• File Manipulation: Uploading, downloading, and executing further payloads.
• Persistence: Modifying registry keys to ensure the malware survives reboots.
• C2 Communication: Communicating with Command and Control servers via HTTP/TCP sockets to receive instructions.

A snippet of its backdoor commands is provided below:

Outlook: Predicting Silver Fox’s Next Moves

From mid-November to the end of December 2025, we observed Silver Fox’s tax lures reach a new audience; India. This was discovered via the registration of cbicgov[.]com, a domain impersonating the Indian tax department, hosted on an IP (192.151.255[.]215) historically used for Hong Kong tax-themed phishing domains (e.g., irdtci.hk.cn). Public reporting of these attacks confirmed that Silver Fox reused the lure of company tax compliance issues, with phishing content written in Hindi.

This pattern led to our hypothesis that the timing of Silver Fox’s country-specific campaigns is highly intentional and closely aligned with local tax deadlines. Backtracking to early 2025, Taiwan was the first reported target of this “Regional Tax Tour”.[1] Taiwanese organisations were hit with similar “subject to tax audit” notifications in January 2025, which closely aligned with the peak period for closing out the previous year’s books. History has since repeated itself, with Taiwanese organisations again facing the tax-themed traps in January 2026.[2]

Based on the statutory tax calendars of major APAC economies, we hypothesised earlier this year that Silver Fox would likely pivot their infrastructure to target (or re-target) Taiwan, Japan, Indonesia, and/or South Korea in the first half of 2026. This has already been the case in terms of Taiwan, leading us to further hypothesise that previously hit locales such as Singapore, Hong Kong, and India are most likely face (repeated) targeting as the next round of deadlines approach. Defenders in these locales should heighten vigilance and raise user awareness of tax-related phishing attempts in the months prior to key taxation deadlines.

On the flipside, we observe via our continuous tracking and open-source reporting that Silver Fox’s watering hole attacks persist, with a plenitude of brands serving as their trojan horse for infection. We anticipate that Silver Fox will routinely launch opportunistic campaigns to passively widen their victim base, broadly focusing on Chinese-speaking audiences in Southeast Asia.

On the flipside, we observe via our continuous tracking and open-source reporting that Silver Fox’s watering hole attacks persist, with a plenitude of brands serving as their trojan horse for infection. We anticipate that Silver Fox will routinely launch opportunistic campaigns to passively widen their victim base, broadly focusing on Chinese-speaking audiences in Southeast Asia.

Conclusion

Silver Fox’s latest campaign demonstrates a notable evolution in their operational maturity and flexibility. The group operates a dual-pronged distribution strategy to meet diversified objectives.

The tax-themed phishing campaigns represent a highly targeted, intelligence-driven approach. They are carefully timed to coincide with regional tax deadlines, localized in native languages, and aimed at finance and compliance personnel within specific geographies. This precision suggests a primary objective of espionage and data exfiltration from organisations of strategic interest.

In contrast, the concurrent distribution of ValleyRAT via trojanized Zoom and ToDesk installers reflects a more opportunistic, wide-net strategy. By leveraging malvertising and popular software lures, Silver Fox casts a broader net, indiscriminately compromising victims who are simply seeking to download legitimate applications. This opportunistic vector points to secondary motives that may include financial gain through credential theft, cryptocurrency mining, or the sale of access to compromised networks.

The coexistence of these two distinct approaches demonstrates Silver Fox’s operational flexibility. It serves as a critical reminder for defenders that threat actor motives can be multifaceted. Organisations must recognize that even if they are outside a group’s apparent geographic or industrial focus for targeted attacks, they may still fall victim through the more indiscriminate malvertising vector.

Recommendations

Preventive

• Harden Email Gateway: enforce SPF/DKIM/DMARC, enable URL rewriting and sandboxing for attachments, and block or sandbox MSI/EXE attachments.

• User Awareness: Finance and HR departments in the forecasted regions should be briefed on the common reuse of tax and “Urgent Compliance” themes, including advice on how to verify links, and how may they report suspected phishing emails. Consider running tailored phishing simulation tests two-months prior to key tax deadlines.

• Brand Reputation Monitoring: conduct 24×7 young domain monitoring to proactively uncover potential phishing campaigns impersonating your organisation.

Detective

• Security Operations Centre (SOC) Monitoring: Perform 24×7 SOC monitoring to detect for anomalous behavioural patterns such as unauthorised software installations, outbound traffic to untrusted cloud storage platforms, DLL sideloading and/or process hollowing attempts, etc.

• Endpoint Hardening: Ensure EDR solutions are configured to flag the specific process hollowing techniques (e.g., injections into explorer.exe) and registry modifications (User Shell Folders) detailed in this report.
  • For example,  Alert on process hollowing, creation of suspended explorer.exe, and unusual DLL sideloading (e.g., edr09.exe → vsdtdib.dll). Hunt for registry keys: HKCU\Software\DeepSer and Startup path changes to C:\ProgramData\Venlnk\.
  • Detect LNK files in C:\ProgramData that execute AppData binaries (e.g., GooglUpdata.lnk → rhabarbaric.exe).

• Network Security: Monitor outbound connections to unusual TCP ports and the C2 IPs above; flag long‑lived HTTP/TCP sessions and beaconing patterns.

• Security Information and Event Management (SIEM): Create SIEM queries for DNS requests to newly registered tax‑like domains and for downloads of .msi/.exe from external webmail or short URLs.

Indicators of Compromise

YARA Rules

rule Obfuscated_ValleyRat
{
  meta:
    author = "PwC Darklab"
    description = "Detects the obfuscation use by the SilverFox malware"
    hash1="af95ba66cde0562bbe69a4fef1e37916f2e1e6226f98052c9044732ca423eb08"
    hash2="c23b2ca4318d65734d545de49623c158b7f995cfaf627ab57fff5ef836dc2975"
    target_entity = "file"
  strings:
    $a1 = "Reconsider your life choices"
    $a2 = "Stop reversing the binary"
    $a3 = "And go touch some grass"
    //dummy funcs
    $b1 = {CC CC CC CC B0 02 C3 CC CC CC CC}
    $b2 = {CC CC CC CC 32 C0 C3 CC CC CC CC} 
    $b3 = {CC CC CC CC B0 03 C3 CC CC CC CC}
    $b4 = {CC CC CC CC B0 06 C3 CC CC CC CC}
    $b5 = {CC CC CC CC B0 07 C3 CC CC CC CC}
    $b6 = {CC CC CC CC B0 09 C3 CC CC CC CC}
  condition:
    all of ($a*) or all of ($b*)
}

rule ValleyRat_Loader
{
  meta:
    author = "PwC Darklab"
    description = "Detects the ValleyRat Loader"
    hash1="2b2e3840daa587f5e3deca46ce2a5d6a5d5fb08a60445fb045b6bb29ed3a7094"
    hash2="c89b43e4cff3ad2d7cb7a80e5a929266d7614e4f21a03d0f7ab5ea6ea58ed69b"
    target_entity = "file"
  strings:
    $a1 = ",10231,109,112,46,97" //mutex
    $a2 = {5C 54 72 75 [0-10] 73 74 41 73 } //TrustAsia
    $a3 = {43 6F 6E 66 [0-10] 69 67 2E 6A } //Config.json
    $a4 = {43 6F 6E 66 [0-10] 69 67 32 2E } //Config2.json
    $b1 = "ZwCreateSection"
    $b2= "ZwMapViewOfSection"
    $b3= "CreateProcessA"
    $b4= "GetThreadContext"
    $b5= "SetThreadContext"
    $b6= "ResumeThread"
    //Software\DeepSer 
    $b7 = {53 00 6F 00 00 00 00 00 66 00 74 00 00 00 00 00
          77 00 61 00 72 00 00 00 65 00 5C 00 44 00 65 00
          65 00 70 00 00 00 00 00 53 00 65 00 72 00 00 00
          4D 00 79 00 44 00 61 00 74 00 61 00 00}
  condition:
    all of ($a*) or all of ($b*)
}

rule ValleyRat_Shellcode
{
  meta:
    author = "PwC Darklab"
    description = "Detects the ValleyRat Shellcode"
    hash1="38830f4c54f0caa60187e67c80e4e9dddf103d02fae8aae8fe9b43fcf08c4677"
    hash2="c250783846d5de0379e2da6286f554f516f2a3b7ce585c44036d2739be5d396e"
    target_entity = "file"
  strings:
    $a1 = "\\Release\\Code_Shellcode"
    $a2 = {81 EC 14 01 00 00 53 55 56 57 6A 6B 58 6A 65 66 89 84 24 CC 00 00 00 33 ED 58 6A 72 59 6A 6E 5B 6A} //forming kernel32 string
    $c1 ={48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 56 41 57 48 81 ec 00 05 00 00 33 ff 48 8b d9 39 b9 38 02 00 00 0f 84 ce 00 00 00 4c 8b 41 28 48 8b 91 88 00 00 00 e8} // start of shellcode
  condition:
    all of ($a*) or $c1
}

Further Information

We are committed to protecting our clients and the wider community against the latest threats through our dedicated research and the integrated efforts of our red team, blue team, incident response, and threat intelligence capabilities. Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.