A China-linked threat group known as Silver Fox is running a new wave of cyber campaigns using fake tax audit notifications and software update lures to deliver malware across Asia.
Active since at least 2022, the group initially focused on financially motivated attacks but, since 2024, has evolved into a dual-purpose operation combining cybercrime and espionage.
At the same time, its victim profile has shifted from individual users to organizations in healthcare, finance, and enterprise sectors.
Silver Fox’s latest campaigns rely heavily on highly customized spear phishing emails. In Taiwan, attackers impersonated the National Tax Bureau and timed their attacks to coincide with the local tax audit season.
Security researchers report that Silver Fox has expanded its geographic reach beyond China to target Taiwan, Japan, and, more recently, Southeast Asia, including Malaysia, Indonesia, Singapore, Thailand, and the Philippines.
Victims are tricked into opening malicious attachments or clicking links that lead to multi-stage infection chains.
For example, a phishing email may include a PDF or shortcut LNK file that silently triggers the download of a second-stage payload from attacker-controlled cloud infrastructure such as MyQcloud.
In recent 2026 activity, researchers observed the deployment of a Python-based data stealer. This malware collects sensitive data, stores it in files like C:WhatsAppBackupWhatsAppData.zip, and uploads it to remote servers via endpoints such as upload_large.php.
Impersonation and SEO Poisoning
The group creates fake websites that mimic legitimate software providers, including VPN services, messaging apps, and collaboration tools such as Surfshark, Signal, Telegram, Zoom, and Microsoft Teams.
Using typosquatted domains and SEO poisoning, these malicious sites are pushed to the top of search engine results. Users searching for legitimate software may unknowingly download trojanized installers.
One key payload delivered through these channels is AtlasCross RAT, a remote access trojan with advanced capabilities.
It enables attackers to hijack Remote Desktop sessions using tools like tscon.exe and move laterally within networks. It can also inject malicious code into trusted applications such as WeChat to exploit internal trust relationships.
Silver Fox operates a diverse toolkit of malware and loaders. Key tools include:
- ValleyRAT (also known as Winos), a core remote access trojan.
- Nidhogg rootkit for stealth and persistence.
- PNGPlug and Catena loaders for staged delivery.
- Gh0st RAT and Gh0stCringe variants.
- CleverSoar installer used in initial infection chains.
Notably, no specific software vulnerability has been publicly linked to these attacks. Instead, the group relies on social engineering and execution techniques.
BYOVD Technique Disables Security
A major technical tactic used by Silver Fox is BYOVD (Bring Your Own Vulnerable Driver). This involves deploying legitimately signed but vulnerable drivers to turn off endpoint security tools such as antivirus and EDR solutions.
Once inside a system, these drivers allow attackers to terminate security processes running at the kernel level, giving them deeper control and helping them evade detection.
A typical attack begins with a fake tax audit email. The victim opens an attachment, triggering a loader that downloads malware.
A legitimate remote management tool is installed for persistence, followed by deployment of a RAT or data stealer. Finally, attackers exfiltrate sensitive data while maintaining long-term access.
Silver Fox’s campaigns highlight a growing trend of combining psychological manipulation with technical sophistication, making them particularly effective against both individuals and organizations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
