The Chinese threat actor known as Silver Fox has launched a targeted phishing campaign against Indian organizations, using income tax-themed emails to deliver the modular remote access trojan ValleyRAT. Attackers impersonate the Indian Income Tax Department, sending emails with decoy PDF attachments that, when opened, direct victims to a malicious website hosting a ZIP archive. This archive contains a disguised installer that leverages DLL hijacking, specifically abusing a legitimate executable (thunder.exe) and a malicious DLL (libexpat.dll), to establish persistent access and evade detection. The campaign demonstrates a sophisticated multi-stage infection chain, with the initial payload acting as a loader for subsequent malware modules designed to maintain deep access to compromised systems.
Researchers from CloudSEK have attributed this campaign to Silver Fox, correcting previous misattributions to other threat groups. The group, also known as SwimSnake and Void Arachne, has expanded its targeting beyond Chinese-speaking entities to include Indian public, financial, medical, and technology sectors. The use of socially engineered tax documents and trusted file formats highlights the attackers' ability to bypass traditional security controls, while the complex kill chain and modular malware architecture underscore the evolving threat posed by Silver Fox to Indian organizations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
CloudSEK analysts attributed the tax-themed attacks on Indian organizations to Silver Fox, correcting earlier misattributions. The reporting highlighted the group's use of false-flag tactics to complicate attribution.
In the India-focused campaign, attackers used a legitimate executable together with a malicious DLL to achieve DLL hijacking, anti-analysis evasion, and process injection or hollowing. The infection chain deployed ValleyRAT, disabled Windows Update, and stored configuration data in the Windows registry for persistence and stealth.
Silver Fox began targeting Indian entities with phishing emails impersonating Income Tax Department communications. The lures directed victims to download a malicious executable disguised as a tax-related file.
Silver Fox broadened its operations from primarily targeting Chinese-speaking victims to organizations across multiple regions and sectors worldwide, including public, financial, medical, and technology entities. The group used phishing, SEO poisoning, and fake software installer sites to distribute malware.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.