Silver Fox campaign uses fake tax alerts and software updates to deliver malware

Silver Fox is using fake tax audit messages, HR-themed emails, and counterfeit software update pages to infect users across Asia with remote access malware. Recent research shows the China-based group has expanded from mainly financial attacks into a mix of cybercrime and espionage-style operations.

S2W says Silver Fox has been active since at least 2022 and has grown more aggressive since 2024. The group first focused on China, then expanded to Taiwan and Japan, before widening its operations across Malaysia, Indonesia, Singapore, Thailand, and the Philippines in 2025.

The campaign stands out because the lures match local timing and user habits. In Taiwan, Silver Fox impersonated the National Tax Bureau during the local tax audit period. In Japan, researchers also observed tax and HR-themed messages timed around a busy filing and organizational-change season.

Silver Fox is mixing cybercrime and espionage

Silver Fox started as a financially motivated threat group, but researchers now describe it as a dual-purpose actor. It still runs broad campaigns for profit, while also using more advanced tools that fit intelligence collection and long-term access.

The group is also tracked under names such as Void Arachne, SwimSnake, The Great Thief of Valley, and UTG-Q-1000. Its targets have moved beyond individual users and now include public-sector, financial, medical, technology, and corporate environments.

That shift makes the campaign more serious for businesses. A fake tax notice or software update can now lead to tools that support data theft, remote control, persistence, and security bypass.

How the latest campaign works

The attack usually starts with a convincing lure. Victims may receive an email that looks like a tax audit notice, a payroll or HR message, or a software update prompt. The goal is to make the file or download feel routine.

In tax-themed campaigns, researchers have seen malicious PDFs that redirect victims to download ZIP files. In one India-focused chain, the ZIP contained an NSIS installer, a legitimate thunder.exe file, and a malicious libexpat.dll used for DLL sideloading.

After execution, the malware can disable Windows Update, run anti-analysis checks, inject code into explorer.exe, and deploy ValleyRAT. This gives attackers remote control while making the activity harder to spot.

At a glance

Item	Details
Threat group	Silver Fox
Other names	Void Arachne, SwimSnake, UTG-Q-1000, The Great Thief of Valley
Active since	At least 2022
Main regions	China, Taiwan, Japan, India, Malaysia, Indonesia, Singapore, Thailand, Philippines
Main lures	Tax audit alerts, HR emails, fake software updates, fake app sites
Main malware	ValleyRAT, AtlasCross RAT, HoldingHands, Catena Loader, Gh0st RAT variants
Main goals	Remote access, data theft, financial gain, possible intelligence collection
Key risk	Malware delivered through trusted-looking government and software themes

Fake software updates add another infection path

Silver Fox does not rely only on tax documents. The group also uses fake software websites and typosquatted domains that imitate trusted tools. These sites can impersonate VPN clients, messaging apps, video meeting platforms, crypto tools, and business applications.

The Hacker News reported that one campaign used fake domains for brands such as Signal, Telegram, Zoom, Microsoft Teams, Surfshark VPN, Trezor, and UltraViewer. The attackers used these sites to deliver AtlasCross RAT through ZIP archives and trojanized installers.

This approach works because many users expect regular app updates. If a fake update page looks professional, victims may download the installer without questioning it.

Malware used by Silver Fox

S2W lists a broad Silver Fox toolkit that includes ValleyRAT, Nidhogg Rootkit, HoldingHands RAT, CleverSoar Installer, AtlasCross RAT, Gh0stCringe, PNGPlug Loader, Catena Loader, and Gh0st RAT.

ValleyRAT, also known as Winos, remains one of the group’s most important tools. Sekoia says Silver Fox continues to use it even after the ValleyRAT builder leaked in 2023, adding plugins and evasion features to keep it useful.

AtlasCross RAT shows how the group’s tooling is evolving. Reports describe encrypted command-and-control traffic, memory execution, persistence, file operations, shell access, WeChat injection, RDP session hijacking, and security bypass behavior.

Silver Fox tactics compared

Tactic	What it does	Why it works
Tax-themed phishing	Impersonates official tax agencies or audit notices	Users may act quickly during tax season
HR-themed emails	Uses payroll or workplace documents	Employees expect internal paperwork
Fake update sites	Imitates trusted apps and tools	Users trust familiar software names
DLL sideloading	Uses legitimate apps to load malicious DLLs	Security tools may trust the signed app
Process injection	Runs malware inside trusted processes	Makes detection harder
BYOVD-style techniques	Abuses vulnerable signed drivers	Can help disable security tools
RAT deployment	Gives attackers remote access	Enables data theft and long-term control

Why businesses should care

The campaign is not only a consumer malware problem. S2W says Silver Fox’s target industries have expanded to medical, financial, and corporate environments.

Those sectors hold sensitive data and often receive tax, payroll, procurement, and software-update messages every day. That gives attackers many chances to hide malicious files inside normal workflows.

A successful infection can expose credentials, internal documents, chat data, financial records, and customer information. It can also give attackers a foothold for later fraud, espionage, or ransomware activity.

What security teams should monitor

Security teams should watch for tax-themed emails that include PDFs, ZIP files, shortcut files, or installers. They should also inspect downloads from fake software domains and unusual update pages.

Endpoint teams should look for suspicious use of thunder.exe, unexpected DLL sideloading, code injection into explorer.exe, and malware persistence through scheduled tasks or registry changes. In some campaigns, Silver Fox has used signed binaries and stolen certificates to make payloads look more trustworthy.

Network teams should also monitor command-and-control activity linked to unknown domains, newly registered software lookalike sites, and suspicious encrypted outbound connections from user endpoints.

Recommended defenses

• Block ZIP, LNK, and executable attachments from untrusted senders where possible.
• Add extra email filtering during tax season and payroll periods.
• Train finance, HR, and accounting teams to verify tax audit messages through official portals.
• Block newly registered domains that imitate trusted software brands.
• Use application control to stop unknown installers from running.
• Enforce driver blocklists to reduce BYOVD risk.
• Monitor DLL sideloading and process injection behavior.
• Keep EDR and Windows security features updated.
• Restrict local admin rights on employee devices.
• Review endpoint logs for fake update installers and RAT activity.

Why the campaign keeps working

Silver Fox succeeds because it understands user behavior. Tax notices create urgency. HR messages feel routine. Software updates look necessary.

The group also adapts quickly. Researchers have tracked a move from ValleyRAT-heavy delivery to RMM abuse, Python-based stealers, AtlasCross RAT, and other tools. That flexibility helps Silver Fox continue operating even when defenders block one infection path.

For organizations in Asia, the safest approach is to treat tax-season emails and software update prompts as high-risk entry points. The message may look ordinary, but the payload behind it can give attackers full remote access.

FAQ