Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware
Tuesday, December 30, 2025
What
The Silver Fox (aka Void Arachne) APT group is leveraging income tax lures in India and SEO poisoning globally to deploy ValleyRAT (aka Winos 4.0). This sophisticated attack uses DLL hijacking with legitimate executables and NSIS installers to achieve persistence and deliver a modular RAT capable of extensive surveillance and data exfiltration, highlighting a multi-pronged threat.
Where
Primarily India and Chinese-speaking individuals/organizations, but also public, financial, medical, and technology sectors globally, with observed clicks from the U.S., Hong Kong, Taiwan, Australia, Asia-Pacific, Europe, and North America.
When
Silver Fox has been active since 2022, with these campaigns and the ValleyRAT distribution recently disclosed by CloudSEK and NCC Group.
Key Factors
- •Silver Fox is a Chinese APT group known for diverse motives including espionage, financial gain, and operational disruption, employing a multi-pronged approach against various sectors.
- •The ValleyRAT distribution involves a complex kill chain utilizing income tax-themed phishing in India and SEO poisoning globally, delivering NSIS installers that leverage DLL hijacking with legitimate software like Thunder.exe.
- •ValleyRAT is a modular remote access trojan with a plugin-oriented architecture, enabling capabilities like keylogging, credential harvesting, and defense evasion through registry-resident plugins and delayed beaconing.
Takeaways
- →Organizations should educate users on phishing and SEO poisoning risks, verifying all software downloads and attachments from untrusted sources.
- →Implement robust endpoint detection and response (EDR) solutions and ensure timely patching to mitigate DLL hijacking and prevent RAT persistence.
Opens original article on The Hacker News
