Silver Fox

Silver Fox is a China-based threat actor, described in the provided content as China-aligned, Chinese-linked, and in some reporting as a Chinese cybercrime group or a Chinese state-associated threat actor. Known aliases in the content include silver_fox_apt, Void Arachne, SwimSnake, and The Great Thief of Valley. The content also notes overlap with TA4922 and references reuse of Silver Fox-family tooling by other actors, so some malware associated with the cluster may not be exclusive to it. The actor has been reported active since at least 2022, with some sources describing activity since 2024. Reported targeting includes healthcare organizations, public sector entities, businesses and individuals across Asia, and organizations in India, Russia, Japan, Taiwan, Indonesia, Malaysia, Singapore, Thailand, the Philippines, South Africa, the United Kingdom, Germany, Italy, and South Africa. Specific victim sectors mentioned in the content include healthcare, finance, industrial, consulting, retail, transportation, government contractors, tax professionals, corporate finance/accounts teams, and taxpayers. Multiple campaigns used tax-themed social engineering, including impersonation of India’s Income Tax Department, Russia tax authorities, Taiwan’s National Tax Bureau, and Indonesia’s Directorate General of Taxes (DJP/DGT). Silver Fox commonly uses phishing emails, phishing websites, instant messaging, WhatsApp delivery, SEO poisoning, typosquatted domains, counterfeit software download pages, trojanized installers, fake Flash updates, and compromised or fake software installers. Lures in the content include fake tax audit notices, salary notices, invoice and HR themes, software updates, and trojanized medical imaging software such as Philips DICOM viewers. Malware and tooling directly associated in the content with Silver Fox include ValleyRAT/Winos 4.0, ABCDoor, Atlas RAT, FatalRAT, 10FXRAT/PoisonX RAT, PXDropper, PoisonX, Catena loader, RustSL-based loaders, RomulusLoader, SilentRunLoader, and Winos-family malware. ValleyRAT/Winos 4.0 is repeatedly described as a primary or commonly associated Silver Fox malware family. ABCDoor is described as a Python/Cython backdoor delivered via custom ValleyRAT plugins. The content also links Silver Fox activity to Atlas RAT, DcRAT-related payloads in Operation DragonReturn through infrastructure/TTP overlap, and campaigns using fake RMM tools or legitimate RMM software such as Ping32, ManageEngine Endpoint Central, and AnyDesk. Techniques described in the content include DLL sideloading, multi-stage loaders, process injection into svchost.exe, fileless .NET execution, AMSI bypass, ETW interference, anti-debugging, anti-VM and sandbox checks, geofencing, XOR-encrypted payload/configuration handling, registry-resident modules, scheduled-task and Run-key persistence, Windows service persistence, screenshot capture, keylogging, clipboard theft, file operations, process management, remote shell access, SOCKS5 tunneling, and data exfiltration over encrypted channels. The actor also uses BYOVD and malicious or vulnerable signed drivers to disable security tools. Drivers and driver-related tooling mentioned in connection with Silver Fox include TrueSightKiller/189atohci.sys, wsftprm.sys, rwdriver.sys, Cndom6.sys, XiaoH.sys, EneIo64.sys, and procexp.sys. Reported kernel-level behavior includes terminating security products, hiding processes and network traffic, and exposing rootkit IOCTL primitives. The content describes Silver Fox as operating across both financially motivated and espionage-oriented activity. Several reports explicitly characterize the group as dual-use, crossing the line between cybercrime and espionage.