Silver Fox Hackers Attacking Indian Entities with Income Tax Phishing Lures

Chinese threat actors operating under the name Silver Fox are targeting Indian organizations through sophisticated phishing campaigns that impersonate legitimate income tax documents.

The attack campaign uses authentic-looking Income Tax Department emails to trick users into downloading a malicious executable disguised as a tax-related file.

Once clicked, victims are redirected to a command-and-control server, which initiates a complex infection chain designed to bypass security defenses and establish persistent access to compromised systems.

The attack begins with a deceptive email containing a PDF attachment bearing an Indian company name. When opened, the PDF leads to a malicious website that downloads a file named “tax_affairs.exe”.

This initial payload serves as a loader for multiple stages of malware, each designed to hide its true purpose while maintaining deep access to victim systems.

The threat demonstrates how attackers leverage socially engineered documents combined with trusted file formats to overcome traditional security controls.

CloudSEK analysts identified the malware in the second paragraph of the investigation, revealing that the campaign had previously been misattributed to other threat groups.

The discovery highlights how accurate threat attribution prevents organizations from deploying incorrect defensive measures against the actual adversary.

Understanding the true source of attacks enables security teams to anticipate future tactics and implement targeted countermeasures specific to Silver Fox’s operational patterns.

DLL hijacking

The infection mechanism relies on a technique called DLL hijacking to activate the main payload. The first stage drops a legitimate executable called Thunder.exe, developed by the Chinese software company Xunlei.

This signed binary is weaponized by placing a malicious DLL file named libexpat.dll in the same temporary directory. When Thunder.exe runs, Windows loads the fake DLL instead of the genuine one due to the default DLL search order, executing the attacker’s code while appearing completely legitimate.

The malicious DLL implements extensive anti-analysis capabilities before engaging in actual infection activities.

It scans running processes to detect security research tools and sandboxes, then checks system resources to ensure the machine meets minimum requirements for infection. If analysis tools are found, the malware terminates itself to avoid detection.

Once the system passes these checks, the DLL disables Windows Update services and loads an encrypted file called box.ini from the temporary directory.

This encrypted payload is decrypted using hardcoded cryptographic keys and executed as raw machine code directly in system memory, leaving minimal traces on the hard drive.

The final payload is Valley RAT, a remote access tool that establishes a permanent command and control infrastructure on infected systems.

Valley RAT uses a sophisticated three-tier failover system to maintain contact with attacker servers, automatically switching between primary, secondary, and tertiary command centers if connections fail.

The malware stores its configuration in the Windows registry as binary data, allowing attackers to update command and control addresses without reinstalling the malware.

It supports multiple communication protocols, including HTTP, HTTPS, and raw TCP sockets, making it difficult to block using simple network filtering.

Once installed, Valley RAT can execute attacker commands, capture keyboard input, harvest credentials, transfer files, and deploy additional malicious modules on demand.

The modular architecture allows operators to customize each infection with specialized capabilities tailored to the target’s value and role within the compromised organization, making this a particularly dangerous threat to Indian enterprises.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.