Category: Uncategorized

The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0).

“This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week.

Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022.

It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity.

Primarily focused on Chinese-speaking individuals and organisations, Silver Fox’s victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).

In the infection chain documented by CloudSEK, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the “ggwk[.]cc” domain, from where a ZIP file (“tax affairs.zip”) is downloaded.

Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name (“tax affairs.exe”), which, in turn, leverages a legitimate executable associated with Thunder (“thunder.exe”), a download manager for Windows developed by Xunlei, and a rogue DLL (“libexpat.dll”) that’s sideloaded by the binary.

The DLL, for its part, disables the Windows Update service and serves as a conduit for a Donut loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. The lander then injects the final ValleyRAT payload into a hollowed “explorer.exe” process.

ValleyRAT is designed to communicate with an external server and await further commands. It implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion.

“Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK said. “On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value.”

The disclosure comes as NCC Group said it identified an exposed link management panel (“ssl3[.]space”) used by Silver Fox to track download activity related to malicious installers for popular applications, including Microsoft Teams, to deploy ValleyRAT. The service hosts information related to –

• Web pages hosting backdoor installer applications
• The number of clicks a download button on a phishing site receives per day
• Cumulative number of clicks a download button has received since launch

The bogus sites created by Silver Fox have been found to impersonate CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao, among others. An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7).

“Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps,” researchers Dillon Ashmore and Asher Glue said. “These primarily target Chinese-speaking individuals and organisations in China, with infections dating back to July 2025 and additional victims across Asia-Pacific, Europe, and North America.”

Distributed via these sites is a ZIP archive that contains an NSIS-based installer that’s responsible for configuring Microsoft Defender Antivirus exclusions, establishing persistence using scheduled tasks, and then reaching out to a remote server to fetch the ValleyRAT payload.

The findings coincide with a recent report from ReliaQuest, which attributed the hacking group to a false flag operation mimicking a Russian threat actor in attacks targeting organizations in China using Teams-related lure sites in an attempt to complicate attribution efforts.

“Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America, validating the campaign’s scope and strategic targeting of Chinese-speaking users,” NCC Group said.

Guinea’s junta leader Gen Mamady Doumbouya has taken a huge lead in a presidential election his main challengers were barred from contesting, initial results show.

Gen Doumbouya is hoping to legitimise his rule after seizing power in a coup four years ago.

A civil society group campaigning for the return of civilian rule condemned the election as a “charade”, while opposition candidates said the poll was marred by irregularities.

On Monday, internet monitoring organisation NetBlocks reported that access to social media platforms TikTok, YouTube and Facebook had been restricted as Guineans waited for the full results.

There has been no official comment on the restrictions, but opponents see it as an attempt by the junta to stifle criticism of the results.

Gen Doumbouya, 41, won more than 80% of the vote in numerous districts in capital city Conakry, according to official partial results read out on television by Djenabou Toure, head of the General Directorate of Elections.

Gen Doumbouya had a big lead in several other areas as well, including Boffa and Fria in the west, Gaoual in the north-west, northern Koundara and Labe, and Nzerekore in the south-east.

After overthrowing then-83-year-old President Alpha Condé in 2021, he promised not to seek election and to hand power to a civilian.

“Neither I nor any member of this transition will be a candidate for anything… As soldiers, we value our word very much,” he said at the time.

Gen Doumbouya broke his promise by putting his name on the ballot after a new constitution, implemented in September, permitted him to run for office.

Eight other candidates took part in Sunday’s election, but with the exclusion of main opposition parties RPG Arc en Ciel and UFDG, none of the participants have a solid political footing.

Although he is popular with many of Guinea’s youth, Gen Doumbouya has been criticised for restricting opposition activities, banning protests and stifling press freedom in the run-up to the elections.

The general justified deposing Condé on similar charges – including rampant corruption, disregard for human rights and economic mismanagement.

Guinea has the world’s largest bauxite reserves and some of its richest iron ore. Last month, authorities launched the gigantic Simandou iron-ore mine to widespread anticipation.

However, over half of the population lives in poverty, according to World Bank figures.

Reuters

Reuters

BBC / Nicky Schiller

PA Media