Silver Fox’s Expansion of Operations Across the South Asia

Published Date: March 27, 2026

Category: ShadowOpsIntel

Silver Fox (also known as Void Arachne) is a China-based intrusion set active since at least 2022. Originally focused on financially motivated cybercrime, the group has evolved since 2024 to include sophisticated, APT-style operations, effectively blurring the lines between cybercrime and state-sponsored espionage.

Severity: High

Threat Overview

Dual-Track Model: The group runs sophisticated espionage campaigns alongside broad, opportunistic, profit-driven operations.
Primary Motivation: Their goals are dual-natured, ranging from traditional financial gain to intelligence collection.
Victimology: Primarily targets individuals and entities across South Asia, including Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines.

Arsenal And Tooling

The group’s arsenal is modular and constantly evolving to maintain persistent access and low detection.

ValleyRAT (aka Winos): Their primary modular backdoor, which supports actions such as keystroke logging, security bypass, and remote system control.
Holding Hands: A variant of Ghost RAT often deployed alongside ValleyRAT for high-value espionage.
RMM Tools: Abuse of legitimate but misconfigured Chinese Remote Monitoring and Management (RMM) tools, specifically from “SyncFutureTec Company Limited”.
Python-based Stealer: A custom credential stealer disguised as a WhatsApp application.
Blackmoon: A ubiquitous malware from the Chinese ecosystem used for less critical, lucrative objectives.

Campaign Evolution (2025–2026)

Threat analysts identified three distinct waves of activity during this period:

Wave	Primary Focus	Methodology	Lure Theme
First Wave (Jan 2025)	Taiwan & Japan	Malicious PDF attachments delivering ValleyRAT.	National taxation authorities and audits.
Second Wave (Dec 2025)	South Asia region	Transitioned to RMM tool delivery via phishing links.	Tax organization communication styles.
Third Wave (2026)	Regional entities	Custom Python stealer disguised as WhatsApp.	Culturally relevant payroll/tax lures.

Attack Details

Initial Access: Consistent use of culturally relevant lures, such as tax audits or payroll documents, to incite fear or curiosity.
Delivery: Evolution from direct email attachments (PDFs) to embedding links to fake phishing websites.
Evasion: Use of kernel-mode rootkits, exploiting zero-day driver plugins, and hijacking legitimate university email addresses to bypass security.
Infrastructure: Reliance on myqcloud (bucket infrastructure), SEO poisoning, and malicious ads to drive traffic to C2 servers.

Recommendations

Block or flag emails with tax/audit-related urgency themes and mismatched sender domains (e.g., academic vs government).
Conduct phishing simulations focused on finance/tax scenarios.
Maintain an “Allow List” of approved Remote Monitoring and Management (RMM) tools. Block any unauthorized RMM binaries, specifically those signed by “SyncFutureTec Company Limited” or utilizing the [ipv4]+ClientSetup.exe naming convention.
Enable and regularly update the Microsoft Vulnerable Driver Blocklist to prevent the abuse of signed drivers (like amsdk.sys) used by Silver Fox to bypass security.
Create alerts for non-standard User-Agents, specifically WhatsAppBackup/1.0, which the group uses for data exfiltration via their Python stealer.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/f8f04e8320ccf81bb2f82ba74b078439883fc25d6726254facda0e0566591780/iocs

Source:

https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.