A spear-phishing campaign targeted Japanese organizations with HR-themed lures impersonating company representatives and delivered a multi-stage malware chain built around PXDropper, the PoisonX kernel driver, and the modular 10FXRAT remote-access trojan. Victims were directed to Google Cloud Storage-hosted archives containing ZIP, RAR, LNK, or EXE payloads, including polyglot Windows shortcut files that dropped decoy Japanese PDFs and used obfuscated downloaders to fetch second-stage malware such as RuntimeBroker.exe. The operators also disguised payloads as legitimate Feishu/Lark and Baidu Netdisk installers and abused DLL sideloading with signed binaries including dashost.exe and unregmp2.exe to decrypt and launch the malware.
Once installed, PoisonX used kernel-level capabilities to terminate security tools and conceal malicious processes and network traffic, while 10FXRAT provided remote shell access, SOCKS5 tunneling, persistence, plugin-based expansion, and tampering with Microsoft Defender. Researchers said the activity continued into May and expanded to Chinese organizations, with the operators shifting from a signed PoisonX driver to BYOVD techniques using legitimately signed but vulnerable drivers such as ASUSTeK EneIo64.sys and Microsoft procexp.sys. The campaign exposed at least 61 indicators, including 49 SHA-256 hashes and 12 IPv4 command-and-control addresses; notable infrastructure included the Google Cloud Storage bucket opentokenaiit, the URL https://storage.googleapis.com/opentokenaiit/newgram.exe, and C2 address 101.32.190.202. Researchers assessed the tradecraft as consistent with a China-nexus operation, with one report noting a possible but unconfirmed link to Silver Fox.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On 2026-06-04, LAC WATCH published a report detailing the campaign's spear-phishing lures, PXDropper, PoisonX driver abuse, 10FXRAT deployment, and later BYOVD evolution. The report assessed with low-to-moderate confidence that the activity may be linked to the China-aligned Silver Fox group, while noting attribution was not conclusive.
The IP address 101.32.190.202, later highlighted as a strong candidate C2 in analysis of the campaign, appeared in an OTX botnet-list pulse on 2026-05-20. The gist cites this as independent enrichment for one of the reported indicators.
LAC said similar activity continued into May 2026 and expanded targeting beyond Japan to include Chinese organizations. During this phase, the operators shifted from the PoisonX driver to BYOVD techniques using legitimately signed vulnerable drivers such as ASUSTeK EneIo64.sys and Microsoft's procexp.sys.
LAC observed a spear-phishing campaign in April 2026 targeting Japanese organizations with HR-themed lures impersonating company representatives. The infection chain delivered PXDropper, a PoisonX kernel driver, and 10FXRAT via archives and downloader files hosted on Google Cloud Storage.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.