The threat actor referred to as Silver Fox is now actively targeting India, using phishing emails themed around income tax to deliver a modular remote access trojan (RAT) known as ValleyRAT (aka Winos 4.0).

“This campaign uses a multi-stage kill chain with DLL hijacking and the modular Valley RAT to gain persistence on endpoints,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week.

Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the designation for a China-based cybercrime group that has been operating since 2022.

The group has a history of running campaigns with objectives ranging from espionage and collection of sensitive information to direct financial theft, cryptocurrency mining, and disruption of operations, making it one of the relatively few threat groups that consistently blends multiple intrusion goals in parallel.

Initially concentrating on Chinese-speaking users and entities, Silver Fox’s targeting has expanded to organizations in the public, financial, healthcare, and technology verticals. The group’s activity has relied on SEO poisoning and phishing to deploy Gh0st RAT variants such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).

In the intrusion flow documented by CloudSEK, phishing emails with decoy PDF attachments posing as official messages from India’s Income Tax Department are used to initiate delivery of ValleyRAT. When the victim opens the PDF, they are redirected to the “ggwk[.]cc” domain, which serves a ZIP archive named “tax affairs.zip”.

Inside the ZIP file is a Nullsoft Scriptable Install System (NSIS) installer with the same name (“tax affairs.exe”). This installer abuses a legitimate executable tied to Thunder (“thunder.exe”), a Windows download manager by Xunlei, along with a malicious DLL (“libexpat.dll”) that is loaded via DLL sideloading.

The DLL disables the Windows Update service and then loads a Donut-based loader, but only after running several anti-analysis and anti-sandbox checks to avoid execution in research or sandboxed environments. The loader ultimately injects the final ValleyRAT payload into a hollowed “explorer.exe” process.

ValleyRAT communicates with a remote command-and-control (C2) server and waits for tasking. It uses a plugin-based design so operators can dynamically extend functionality, enabling targeted deployment of modules for keylogging, credential theft, and evasion of security controls.

“Registry-resident plugins and delayed beaconing enable the RAT to persist across reboots while generating minimal telemetry,” CloudSEK said. “On-demand module delivery supports focused credential theft and surveillance aligned to the victim’s role and priority.”

This activity aligns with NCC Group’s observation of an exposed link management panel (“ssl3[.]space”) operated by Silver Fox to monitor downloads of malicious installers masquerading as popular software such as Microsoft Teams, used to deliver ValleyRAT. The service records details including –

• Web pages that host trojanized installer applications
• The number of clicks the download button on a phishing page receives each day
• The total number of download button clicks accumulated over the lifetime of the campaign

The fraudulent download portals created by Silver Fox have impersonated CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao, among others. Review of source IPs associated with download activity indicates at least 217 clicks from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7).

“Silver Fox used SEO poisoning to push backdoored installers for at least 20 widely adopted applications, including collaboration platforms, VPN solutions, and office tools,” researchers Dillon Ashmore and Asher Glue said. “These primarily impact Chinese-speaking users and organizations in China, with observed infections starting in July 2025 and additional affected victims across Asia-Pacific, Europe, and North America.”

The ZIP packages distributed via these fake download portals contain an NSIS installer that configures Microsoft Defender Antivirus exclusions, establishes persistence via scheduled tasks, and then connects to a remote server to retrieve the ValleyRAT payload.

The observations line up with a recent ReliaQuest report that linked the group to a false-flag operation impersonating a Russian threat actor in intrusions against organizations in China using Teams-themed lure sites, in an effort to complicate attribution.

“Data from this panel highlights hundreds of clicks from mainland China and additional victims across Asia-Pacific, Europe, and North America, reinforcing the breadth of the campaign and its deliberate focus on Chinese-speaking users,” NCC Group said.

Found this article useful for your monitoring and defense efforts? Follow us on Google News, Twitter and LinkedIn for more practitioner-focused coverage.