top of page
perceptive_background_267k.jpg

Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware

Published:

30 December 2025 at 10:46:00

Alert date:

30 December 2025 at 12:02:11

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging

The Silver Fox threat actor is conducting a targeted phishing campaign against Indian users, using income tax-themed emails as lures to distribute the ValleyRAT (also known as Winos 4.0) remote access trojan. The sophisticated attack employs a complex kill chain involving DLL hijacking and modular components to ensure persistence on infected systems. This represents a geographic shift in Silver Fox's operations, now focusing specifically on Indian targets through tax-related social engineering tactics.

Technical details

Silver Fox uses tax-themed phishing emails containing decoy PDFs that redirect to ggwk[.]cc domain to download tax affairs.zip. The ZIP contains an NSIS installer that leverages DLL hijacking with legitimate Thunder executable (thunder.exe) and malicious libexpat.dll. The DLL disables Windows Update service, performs anti-analysis checks, and acts as a Donut loader to inject ValleyRAT payload into hollowed explorer.exe process. ValleyRAT uses plugin-oriented architecture with registry-resident plugins, delayed beaconing for persistence, keylogging, credential harvesting capabilities, and communicates with external C2 servers.

Mitigation steps:

Implement email security controls to detect tax-themed phishing campaigns, monitor for DLL sideloading activities involving Thunder executable and libexpat.dll, detect process hollowing into explorer.exe, monitor registry for malicious plugins, watch for Windows Update service being disabled, implement behavioral analysis for anti-sandbox evasion techniques, and block access to identified malicious domains and C2 infrastructure.

Affected products:

Windows
Microsoft Defender Antivirus
Thunder download manager
Microsoft Teams
CloudChat
FlyVPN
OpenVPN
QieQie
Santiao
Signal
Sigua
Snipaste
Sogou
Telegram
ToDesk
WPS Office
Youdao

Related links:

https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures
https://thehackernews.com/2025/09/silver-fox-exploits-microsoft-signed.html
https://thehackernews.com/2025/12/silver-fox-uses-fake-microsoft-teams.html
https://levelblue.com/blogs/levelblue-blog/inside-silver-foxs-den-trustwave-spiderlabs-unmasks-a-global-threat-actor
https://github.com/thunder-xunlei
https://www.nccgroup.com/research-blog/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey/

Related CVE's:

Related threat actors:

IOC's:

ggwk[.]cc, ssl3[.]space, tax affairs.zip, tax affairs.exe, thunder.exe, libexpat.dll, explorer.exe

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page