Silver Fox

Silver Fox is a China-based threat actor described in the provided reporting as a Chinese-linked, Chinese-nexus, and in some sources state-associated group. It is also tracked as Void Arachne, SwimSnake, The Great Thief of Valley, UTG-Q-1000, CL-STA-0048, and APT-Q-27. The content characterizes the group as operating across both cybercrime and espionage activity, with some reporting explicitly noting a dual-track model and overlap between financially motivated intrusions and state-aligned behavior. The group is strongly associated with ValleyRAT, also known as Winos 4.0, which multiple sources describe as a primary Silver Fox malware family, although some reporting cautions that ValleyRAT-related tooling or Gh0stKCP traffic may also be used by other actors. Additional malware and tooling directly mentioned in connection with Silver Fox include Atlas RAT, ABCDoor, RustSL-based loaders, PXDropper, PoisonX, 10FXRAT, FatalRAT, AtlasCross RAT, Catena loader, and a Python-based information stealer. The content also links Silver Fox campaigns to trojanized software installers, DLL sideloading, phishing attachments and links, SEO poisoning, cloud-hosted payload delivery, and multi-stage loaders. Targets mentioned in the content include healthcare organizations, public sector entities, financial firms, manufacturing and technology sectors, medical institutions, and broader corporate environments. Geographic targeting described in the content includes Japan, Taiwan, China, India, Russia, and Southeast Asian countries including Malaysia, Indonesia, Singapore, Thailand, and the Philippines; one report also notes targeting of US and Canadian healthcare organizations. Several campaigns used highly localized social engineering, including tax-themed phishing, HR-themed lures, payroll and invoice themes, and counterfeit software update alerts. Tradecraft described in the content includes phishing with PDF or archive lures, use of disposable sender accounts, movement of conversations to Teams or WhatsApp, DLL sideloading through legitimate applications, use of trojanized medical imaging software and other compromised installers, geofencing and environment checks, anti-analysis logic, PowerShell-based Microsoft Defender exclusions, AMSI and ETW interference, persistence via Run keys, scheduled tasks and services, and registry-resident components. Multiple reports describe Silver Fox using BYOVD or kernel-driver abuse to disable security tools, including use of TrueSightKiller, PoisonX-related driver functionality, Topaz OFD wsftprm.sys, and wnBios. The content also describes command-and-control over raw TCP, HTTPS, Socket.IO, and Gh0stKCP/UDP-based traffic depending on the malware family. Campaigns directly described in the content include use of trojanized medical software against healthcare and public sector targets; tax-themed phishing campaigns in late 2025 and early 2026 targeting organizations in India and Russia and delivering ValleyRAT and ABCDoor; phishing campaigns across Asia using fake tax audit notices and counterfeit software updates; and software supply-chain style activity involving npm typosquatting and a malicious Hugging Face repository with infrastructure overlap to prior Silver Fox-linked ValleyRAT activity. The content also references infrastructure clusters tied to Silver Fox, including ValleyRAT command-and-control nodes, Alibaba Cloud and Tencent Cloud hosting, Gname.com-registered domains, and a jackadmin/jackbank infrastructure cluster assessed as Silver Fox infrastructure.