Silver Fox Targeting India Using Tax Themed Phishing Lures
Essential information
- Published
- 24/12/2025 21:10
- Modified
- 26/12/2025 10:05
- Tags
- 2025-12-24 apt c2 communication chinese threat actor dll hijacking india multi-stage attack phishing tax-themed valley rat
- Related entities
- 8 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 20 others
Description
A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.