{
  "name": "Silver Fox Targeting India Using Tax Themed Phishing Lures",
  "slug": "silver-fox-targeting-india-using-tax-themed-phishing-lures",
  "description": "A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.",
  "published": "2025-12-24T20:10:40+00:00",
  "created_at": "2025-12-24T20:10:40+00:00",
  "modified_at": "2025-12-26T09:05:30+00:00",
  "created_at_opencti": "2025-12-24T20:10:40+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-24",
    "apt",
    "c2 communication",
    "chinese threat actor",
    "dll hijacking",
    "india",
    "multi-stage attack",
    "phishing",
    "tax-themed",
    "valley rat"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "103.20.195.147"
      },
      {
        "id": "",
        "name": "160.124.9.103"
      },
      {
        "id": "",
        "name": "45.207.231.94"
      },
      {
        "id": "",
        "name": "45.207.231.107"
      },
      {
        "id": "",
        "name": "068e49e734c2c7be4fb3f01a40bb8beb2d5f4677872fabbced7741245a7ea97c"
      },
      {
        "id": "",
        "name": "fa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19"
      },
      {
        "id": "",
        "name": "77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2"
      },
      {
        "id": "",
        "name": "f74017b406e993bea5212615febe23198b09ecd73ab79411a9f6571ba1f94cfa"
      }
    ],
    "malware": [
      {
        "id": "a8cd08c4-1042-43fa-9930-edc1c382e51e",
        "name": "Valley RAT",
        "slug": "valley-rat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "9737bc5a-30ea-42a9-8733-7a4540a14ef2",
        "name": "Silver Fox",
        "slug": "silver-fox"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "5d890f18-8c7e-47eb-89aa-d2b82a61a7d7",
        "name": "T1008"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "2c3d4267-2bae-41ae-8486-5876953a1748",
        "name": "T1129"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "2fca0274-42fc-483e-a1e3-d9c4ba687d2d",
        "name": "T1574.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "ggwk.cc"
      },
      {
        "id": "",
        "name": "gov-a.club"
      },
      {
        "id": "",
        "name": "swjc2025bjkb.cn"
      },
      {
        "id": "",
        "name": "gov-a.work"
      },
      {
        "id": "",
        "name": "govk.club"
      },
      {
        "id": "",
        "name": "hhiioo.work"
      },
      {
        "id": "",
        "name": "dingtalki.cn"
      },
      {
        "id": "",
        "name": "xzghjec.com"
      },
      {
        "id": "",
        "name": "hhimm.work"
      },
      {
        "id": "",
        "name": "gov-c.club"
      },
      {
        "id": "",
        "name": "kkyui.club"
      },
      {
        "id": "",
        "name": "itdd.club"
      },
      {
        "id": "",
        "name": "2025swmm.cn"
      },
      {
        "id": "",
        "name": "gov-a.fit"
      },
      {
        "id": "",
        "name": "gvo-b.club"
      },
      {
        "id": "",
        "name": "b.yuxuanow.top"
      },
      {
        "id": "",
        "name": "hhiioo.cn"
      }
    ]
  },
  "external_refs": [
    "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures",
    "https://otx.alienvault.com/pulse/694c56d0f3f466a559e3f352"
  ]
}