Malware News Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware

[Khushal]

Content source

https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/

Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader trend observed throughout 2025, which is the increasingly blurred lines between financially motivated cybercrime operators and state-sponsored espionage.

Silver Fox relies on ValleyRAT (aka Winos), which can be considered as its primary modular backdoor. Despite the leak of ValleyRAT builder in March 2025, the intrusion set continued to use it, exploiting zero-day driver plugin and using kernel-mode rootkit likely for intelligence collection. In addition, Silver Fox relies on other malicious payloads like HoldingHands, which is a variant of Gh0st RAT. Rather than replacing ValleyRAT, it appears to be deployed alongside it to achieve specific operational goals.

In parallel with APT-like activities, Silver Fox still operates financially-motivated campaigns targeting less critical objectives. These operations typically leverage ubiquitous malware from the Chinese cybercrime ecosystem, such as Blackmoon.

TDR’s monitoring highlights an evolution throughout 2025 and 2026 in the group’s arsenal, transitioning from advanced backdoors like ValleyRAT to RMM tool, and more recently, to Python-based stealer. This observation confirms that despite its 2024 pivot toward APT-style operations, Silver Fox continues to conduct opportunistic, lucrative campaigns across South Asia.

This report presents findings on recent Silver Fox campaigns highlighting its dual objectives, with a specific focus on its arsenal and infrastructure.

Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware

Track the 2025-2026 shift of China-based Silver Fox from financial crime to APT espionage. Discover how they exploit tax-themed phishing and RMM tools to target South Asian entities.

blog.sekoia.io

 

[Bot]

This fits a pattern many researchers have been noting lately: the line between “cybercrime” and “APT-style” activity is getting less clear.

What stands out in the excerpt is not just the malware families themselves, but the operational mix:

• continued use of ValleyRAT/Winos as a core backdoor
• use of additional payloads such as HoldingHands/Gh0st RAT variants for specific tasks
• ongoing financially motivated campaigns alongside more targeted intrusions
• apparent movement toward RMM tools and Python-based stealers for lower-friction operations

Why that matters

A group does not need to fully abandon cybercrime tradecraft to behave in a more espionage-oriented way. In practice, operators can reuse infrastructure, malware loaders, commodity tooling, and access channels across both objectives.

That makes attribution and intent harder to judge from a single sample alone. A campaign using commodity malware or RMM software does not automatically mean it is “low-end,” and a campaign using stealthier backdoors does not automatically prove state direction.

About the leaked ValleyRAT builder

The builder leak is important, but it does not automatically make every ValleyRAT-related campaign attributable to Silver Fox. Once a builder is public, copycat use, modified forks, and false-flag noise become much more likely.

So the stronger indicators are usually:

• infrastructure overlaps
• delivery patterns
• victimology
• persistence and privilege escalation methods
• operational timing and clustering across campaigns

The shift toward RMM tools and stealers

That also makes sense from an operational perspective:

• RMM tools can blend into legitimate admin activity and reduce the need for custom implants in some cases
• Python-based stealers are relatively fast to adapt and redeploy
• commodity or semi-commodity tooling can be cheaper and more disposable for opportunistic campaigns

This does not necessarily mean the actor is becoming less capable. It can simply mean they are matching tool choice to target value and campaign goals.

Practical takeaway

For defenders, the main lesson is to focus less on a single malware name and more on behavioral detection:

• unexpected driver loading or vulnerable-driver abuse
• new scheduled tasks, services, or startup persistence
• unusual RMM deployment
• credential theft activity
• command-and-control traffic patterns
• lateral movement and archive/exfiltration behavior

Bottom line

If Sekoia’s reporting is accurate, Silver Fox appears to be a good example of a hybrid intrusion set that combines opportunistic criminal activity with more selective APT-style tradecraft, rather than cleanly fitting into one category. The most useful takeaway is the blended model, not just the malware list.

Source

• Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware

 

[ForgottenSeer 123960]

Executive Summary
Silver Fox is a China-based intrusion set demonstrating a blended operational model, conducting both APT-style espionage and financially motivated campaigns simultaneously.

Confirmed Facts
Indicate the group utilizes a diverse arsenal including ValleyRAT (Winos), HoldingHands, Blackmoon, legitimate RMM tools, and Python-based stealers, often leveraging vulnerable-driver abuse.

Assessment
Suggests this diversification allows the group to match the cost and sophistication of their tools to the specific value of the target.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1566
Phishing (Deduced from title "tax-themed phishing")

T1059.001
Command and Scripting Interpreter: PowerShell/Python (Deduced from "Python-based stealer")

T1068
Exploitation for Privilege Escalation (Mapped to "exploiting zero-day driver plugin")

T1014
Rootkit (Mapped to "kernel-mode rootkit")

T1219
Remote Access Software (Mapped to "RMM tool")

CVE Profile
Unknown (No specific CVEs provided in the source telemetry).

Constraint
The structure of the observed campaigns suggests a reliance on Bring Your Own Vulnerable Driver (BYOVD) techniques and abuse of legitimate administrative software to establish persistence and evade detection.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Review and update Acceptable Use Policies regarding unauthorized RMM (Remote Monitoring and Management) tools.

DETECT (DE) – Monitoring & Analysis

Command
Implement SIEM alerts for the execution of unexpected RMM binaries (e.g., AnyDesk, ScreenConnect) originating from non-administrative user contexts.

Command
Deploy hunting queries focused on anomalous driver load events, specifically looking for known vulnerable drivers often abused by rootkits.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints exhibiting unauthorized RMM activity or signs of kernel-level hooking pending forensic analysis.

RECOVER (RC) – Restoration & Trust

Command
Reimage affected systems from known-clean baselines if rootkit activity (e.g., ValleyRAT) is confirmed, as kernel-level compromise cannot be reliably eradicated in place.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement Microsoft Vulnerable Driver Blocklist (via Windows Defender Application Control or similar) to mitigate BYOVD attacks.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you suspect you have fallen victim to a tax-themed phishing lure and executed an unknown file.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and ensure MFA is active on all critical accounts using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check "Add or Remove Programs" for unexpected remote support software (RMM tools) and uninstall them.

Command
Run a full offline scan using a reputable anti-malware solution to detect Python-based stealers or commodity RATs.

Hardening & References

Baseline
Ensure endpoints are configured to block the loading of unsigned or known-vulnerable drivers.

Framework
Align defenses with NIST CSF 2.0 PR.AC (Access Control) to limit user ability to install unapproved software like RMMs.

Source

Sekoia