SilverFox

SilverFox is a Chinese-origin, Chinese-speaking threat actor associated with ValleyRAT/Winos 4.0 and related Gh0stRAT-family tooling. Reporting in the provided content describes SilverFox targeting primarily Chinese-speaking users in mainland China and the broader region through social engineering and trojanized software, with additional targeting of Taiwan and Japan. Observed lures include fake Microsoft Teams installers, trojanized legitimate software such as Arma 3 server binaries and WeChat-themed bundles, fake censorship-bypass tools, HR and disciplinary-investigation documents, banking fraud guidance, meeting-room reservation apps, Telegram installers, Doubao AI, game cheats, and other Chinese-language decoys. Across the cited reporting, SilverFox is linked to ValleyRAT, Winos 4.0, HoldingHands RAT (also known as Gh0stBins), Gh0stCringe RAT, Ghost RAT, and RustyStealer. One source also notes the alias YouSnake. The content repeatedly links SilverFox activity to the broader Winos/Gh0stRAT-derived malware ecosystem. Tactics and techniques directly described in the content include DLL sideloading using legitimate Tencent binaries such as GameBox.exe and UxEnhanceHost, use of NSIS and WinRAR SFX droppers, staged in-memory decryption and reflective loading, process injection and hollowing, scheduled-task and service-based persistence, registry-based persistence indicators, Windows Defender exclusions, anti-debugging and anti-VM checks, API hashing, clipboard theft, keylogging, active-window monitoring, downloader functionality, and exfiltration of collected data. Multiple reports describe SilverFox using BYOVD to terminate or evade security tools, including exploitation of the STProcessMonitor kernel driver for privilege escalation. One report states the group also used compromised PHP servers exposed to remote code execution to install ValleyRAT via msiexec. Infrastructure described in the content includes command-and-control and staging hosted across Tencent Cloud, Alibaba Cloud, AWS Hong Kong and Singapore, Vultr Singapore, Fastmos Hong Kong, SonderCloud, Cloudbays, Huawei Cloud, SpeedVM/LeaseKVM, ANTBOX Networks, Amazon S3, and bare-IP VPS infrastructure. Several reports highlight an apparent shift in some ValleyRAT activity from historically Tencent Cloud-hosted infrastructure to Western VPS providers. The content also notes recurring registrar patterns involving 22.cn, Gname.com, and NameSilo, and repeated WHOIS artifacts including the name Peng Benbo and email di823748@163.com in infrastructure linked to SilverFox campaigns. The content characterizes SilverFox as a Chinese-nexus actor; some reporting explicitly calls it China-based or Chinese-origin, and one cited source describes it as a suspected financially motivated threat actor with infrastructure inside and targeting China.