Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

Silver Fox

Silver Fox is a malware family and associated cybercrime activity cluster active since at least 2022, with campaigns observed through 2024 and ongoing reporting into 2025–2026. Reporting from Knownsec describes Silver Fox operations that impersonate popular software and services, including Google Translate, WPS, currency converters, Youdao Translation, Bit Browser, LetsVPN, and fake Flash update prompts, to deliver Trojanized MSI or EXE installers. Distribution methods explicitly mentioned include email, phishing websites, instant messaging software, counterfeit software download pages, SEO optimization, and fake websites of important national institutions.

In the analyzed infection chain, an MSI installer loads aicustact.dll, executes update.bat, uses javaw.exe to establish persistence by writing Microsoftdata.exe into the Windows Run registry, and then reads Xps.dtd to load shellcode that decrypts and executes the final payload. The final PE reportedly contains the string "RexRat4.0.3," but the core malware was assessed as Winos, described as one of the most common Trojans in the Silver Fox family. Winos is modular and supports remote control and data theft via plug-ins, with specifically reported capabilities including screenshot capture, keylogging, clipboard theft, and broader remote-control and data-theft functions.

The content states that leaked source code such as Winos 4.0 enabled Silver Fox to evolve from a single organization into a broadly reused malware family. The malware is described as increasingly modular and tool-based, with core code reportedly reused by multiple cybercrime groups and some APT organizations, including Golden Eye Dog. The reporting characterizes Silver Fox as a significant threat in the Chinese internet ecosystem.

High-confidence infrastructure and indicators mentioned in the content include phishing infrastructure 192.252.181[.]55 and www.ggfanyi[.]com, and command-and-control endpoints 8.218.115.90:8080, 8.218.115.90:8081, 154.91.66.58:8088, 154.91.66.58:8089, 103.116.246.234:6234, 43.250.174.49:1989, 154.222.24.214:886, 154.222.24.214:668, 206.119.167.191:8003, 206.119.167.191:8004, 1.94.163.46:666, 203.160.55.201:1860, 154.94.232.242:8888, and 154.94.232.242:6666.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Golden Eye Dog

Recently, the Knownsec 404 Advanced Threat Intelligence Team has frequently detected Silver Fox attack activities that mimic popular tools.

via medium knownsec404teammedium.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1608.006SEO PoisoningEvidence1

In recent years, several hacker groups have been distributing the Silver Fox Trojan through methods such as counterfeiting commonly used tool download pages, SEO optimization, and counterfeiting the websites of important national institutions.

Initial Access

1 technique
T1566PhishingEvidence1

Since 2022, the Silver Fox cybercrime gang has been active, typically using multiple channels such as email, phishing websites, and instant messaging software to widely spread Trojan viruses.

Stealth

2 techniques
T1036MasqueradingEvidence1

Attackers disguise themselves as Google Translate tools... a counterfeit WPS official download website was also discovered... Microsoftdata.exe increases trustworthiness by mimicking the naming of official programs.

T1497Virtualization/Sandbox EvasionEvidence1

Attackers only need to focus on the iteration of anti-detection techniques (such as code obfuscation, signature forgery, and cloud sandbox evasion) to quickly adapt to different attack scenarios.

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

Attackers only need to focus on the iteration of anti-detection techniques (such as code obfuscation, signature forgery, and cloud sandbox evasion) to quickly adapt to different attack scenarios.

INDICATORS OF COMPROMISE

IOCs tracked for this family

23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
14 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app3 months ago
ip.v4●●●●●●●●●●●●View more in app3 months ago
hash.sha256●●●●●●●●●●●●View more in app11 months ago
hash.sha256●●●●●●●●●●●●View more in app11 months ago
hash.sha256●●●●●●●●●●●●View more in app11 months ago
hash.sha256●●●●●●●●●●●●View more in app11 months ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
breakglass intelNews
Apr 9, 2026
22 Disposable Domains, One Subsidy-Fraud Backend: A CTG Server /24 in Hong Kong Runs a Chinese 企业补贴 Scam, a Core DAO Crypto Impersonation, and a Matching Operator Chat App - Breakglass Intelligence - Breakglass Intelligence

Referenced as part of a prior investigation and pivot chain tied to the same hosting infrastructure. The content does not provide functional malware details beyond indicating it is associated with earlier campaign mapping.

Read more
breakglass intelNews
Apr 7, 2026
APT-Q-27 Goes Signed: GoldenEyeDog's Sims 4 Updater Lure Now Carries a Brand-New Korean DigiCert EV Certificate - Breakglass Intelligence - Breakglass Intelligence

Referenced as a trojan involved in stealing activities in prior public reporting related to the broader actor/tooling context.

Read more
medium knownsec404teamNews
Jul 30, 2025
Analysis of the latest Silver Fox attack campaign disguised as a Flash plugin | by Knownsec 404 team | Medium

A modular Trojan family spread via fake software download pages, SEO poisoning, phishing sites, and fake Flash update lures. It compromises hosts through malicious installers and supports remote control and data theft.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching23

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.