✅ Report Title: Threat Group Profile: Silver Fox

✅ Executive Summary:

📌 Who Is the Silver Fox Group?

- Silver Fox is a China-based threat group that has been active since at least 2022, initially conducting campaigns for financial purposes.

- Since 2024, it has evolved into a dual-track operational model that simultaneously conducts profitable extensive opportunistic activities and espionage activities. In the early stages, the group targeted China for attacks, but later expanded their operational scope to Taiwan and Japan.

- In particular, they impersonated the National Tax Bureau targeting Taiwan and launched customized phishing campaigns timed to coincide with the local tax audit period, also employing typosquatting techniques reflecting local software preferences.

- Afterwards, in 2025, centered around the enhanced ValleyRAT, Silver Fox significantly expanded its attack range across Southeast Asia, including Malaysia, Indonesia, Singapore, Thailand, and the Philippines. The target industries also expanded from general individual users to medical, financial, and corporate environments.

📌 Arsenals Used by Silver Fox

- Malware & Tools

  Malware & Tools Used by Silver Fox

- Vulnerability

  There is no publicly available vulnerability used by Silver Fox.

📌 Tactics, Techniques, and Procedures

- Silver Fox's TTPs effectively combine psychological manipulation during initial infiltration with technical evasion after obtaining system privileges. The main attack methods used by Silver Fox include Phishing, Impersonation, and BYOVD.

1. Phishing

- The Silver Fox group primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target's work characteristics.

- Various threat intelligence such as Sekoia and Knownsec404 have presented common analyses regarding the different country-specific phishing attack methods of Silver Fox. According to observations by these agencies, the Silver Fox group continuously develops and distributes emails disguised as tax audit notifications or general financial management software update alerts. In particular, even if the recipient opens the email, a double trap is designed to open not only a simple link but also a disguised shortcut file (LNK) or an Office document with embedded macros, meticulously inducing the user to unknowingly download the first loader or dropper.

- In the end, Silver Fox is assessed to have a deep understanding of the target user's work context and psychological vulnerabilities, and is refining and sophisticating its phishing tactics.

- In particular, in recently observed campaigns, clicking on the PDF in phishing emails downloads a second-stage payload from the myqcloud bucket infrastructure, and installs a legitimate RMM tool signed by "SyncFutureTec Company Limited," establishing a foothold for continuous remote control and data exfiltration within the internal network. It was also confirmed that after February 2026, a Python-based stealer was distributed, leaving the artifact C:\WhatsAppBackup\WhatsAppData.zip and uploading collected data to the paths upload_large.php and upload_status.php. This shows that the Silver Fox phishing campaign does not stop at installing RAT and RMM tools, but can directly lead to the information leakage stage depending on the campaign's objective.

2. Impersonation

- The Silver Fox group aggressively employs impersonation tactics by meticulously disguising themselves as trusted software or work documents frequently used by target users to infiltrate internal systems.

- They distribute malware by impersonating a wide range of targets, from installation files of popular applications to industry-specific documents.

- According to the threat intelligence report from Hexastrike, Silver Fox typosquatted the domains of globally popular brand software widely used by users to build a sophisticated fake website network.

- In particular, targeting audiences who prioritize security and privacy, they have perfectly impersonated well-known VPN clients like Surfshark, encrypted messengers such as Signal and Telegram, as well as video conferencing tools like Zoom and Microsoft Teams. What is noteworthy is that they did not merely create similar domains, but actively exploited the SEO Poisoning technique.

- Threat actors have completed a perfect attack chain by continuously exposing their forged download pages at the top of the results of major search engines, thereby luring users to naturally download the stealthy and powerful AtlasCross RAT themselves during the natural process of searching for and clicking on legitimate software.

- AtlasCross RAT has an RDP session hijacking (tscon.exe) feature for internal network propagation and attempts to spread to other accounts by injecting a malicious DLL into the WeChat application to exploit internal trust relationships.

3. BYOVD

- The Silver Fox group employs the BYOVD (Bring Your Own Vulnerable Driver) technique, which exploits pre-signed legitimate vulnerable drivers, in a very sophisticated and persistent manner to disable modern endpoint security solutions such as antivirus (AV) and EDR.

- After successfully infiltrating initially, they use older drivers with legitimate digital signatures or lesser-known drivers with vulnerabilities in third-party security logic as attack tools to directly terminate security processes running with kernel privileges.

📌 Recent Issues

- For a list of major issues related to Silver Fox from 2023 to the present, please contact us through the link below.

✅ Recommended Threat Detection and Mitigation Actions:

- It is necessary to strengthen control over initial infiltration routes (email, spoofed domains), activate policies to block vulnerable Windows drivers in response to BYOVD, check the kernel-level defense (PPL protection) of EDR, and apply whitelist-based application control to minimize the execution environment for malware through a multi-layered response.

🧑‍💻 Author: S2W TALON

👉 Contact us: https://s2w.inc/en/contact

*The full report is available upon request or with a subscription to the S2W platform.