Silver Fox Targeting India Using Tax Themed Phishing Lures

Back Adversary Intelligence Silver Fox Targeting India Using Tax Themed Phishing Lures CloudSEK's TRIAD reveals a critical campaign by the Chinese "Silver Fox" APT targeting Indian entities with authentic-looking Income Tax phishing lures. While previously misattributed to SideWinder, this sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. Discover the full technical breakdown and why accurate attribution is essential for effective defense. December 24, 2025 9 min Table of Content Example H2 Example H2 Subscribe to CloudSEK Resources Get the latest industry news, threats and resources. Executive Summary CloudSEK’s TRIAD discovered a campaign by Silver Fox APT targeting India with Income tax themed phishing lures. The lure is visually identical to the ones discovered by other vendors, however, this campaign has not been attributed to a specific threat actor before this report.  Attribution accuracy is critical to threat intelligence; it enables defenders to predict adversary behavior and deploy targeted countermeasures. Misattribution from trusted sources propagates through threat feeds and detection systems, causing organizations to focus on the wrong threat while the actual adversary operates undetected. Attributing this campaign to SideWinder APT (India-aligned) contradicts basic victimology and creates systemic confusion. Using our report aims to highlight the sophisticated kill chain by the Chinese APT group, and explains the rationale behind CloudSEK’s attribution. ‍ Kill Chain Initial Access Vector Malicious email We found an interesting email uploaded from India with just an attachment called “TOPSOE India Private Limited’. The pdf looked like an official Income Tax Department document. Upon clicking on the pdf, “ggwk[.]cc” opens up on the browser and a zip file called “tax affairs.exe” is downloaded. PDF Decoy Technical Analysis Stage - 1 : Tax Affairs.zip Detect It Easy Using static analysis we see that the given PE file is a 32 bit GUI binary. More importantly, the file is identified as a Nullsoft Scriptable Install system (NSIS) installer. NSIS installers embed their installation script, compressed payloads etc inside the binary itself and we can move ahead to analyse it as an installer driven staging payload. NSIS Installer The NSIS installer begins by resolving a writable temporary directory using GetTempPathA. If the operation fails, it falls back to C:\Windows\Temp, ensuring execution reliability. Once a valid location is identified, the installer creates an NSIS specific working directory (~nsu.tmp) and switches the directory to it. Dropped Files Upon analysis we found that only 2 files are of use to us, Thunder.exe and libexpat.dll. Thunder.exe is a legitimate, digitally signed executable developed by Xunlei (迅雷), commonly distributed as part of the Thunder download manager ecosystem. In this infection chain, the binary itself is not malicious but is abused as a DLL hijacking host.When executed from installer’s temporary directory, Thunder.exe loads libexpat.dll from its local path due to default DLL search order. We can confirm this in x64dbg. DLL Loading ‍ ‍ Stage - 2 : libexpat.dll The dropped libexpat.dll does not export any meaningful functions and is never explicitly invoked by Thunder.exe.The dll relies on the windows loader functionality and calls the DLLMain. This callback is invoked unconditionally , regardless of whether the DLL exports any functions or is actively used by the host process. Let’s take a look at the working of the DLL. ‍ Anti-Debug Techniques The Main function begins by many anti debugging and sandbox techniques.The DLL performs process enumeration and scans the process list for common analysis and sandbox tools. Also the DLL queries for the system resources checking if minimum requirements are satisfied or not. In addition to that, if it detects any sandbox environment, it terminates the malware. ‍ Payload Decryption Once the DLL completes its anti analysis checks, it enters the core execution logic. It first disables the Windows Update service(wuauserv) then loads an encrypted payload from the disk. The payload is dynamically resolved and loads the box.ini file from the temporary directory. The file is fully read into memory, decrypted using embedded cryptographic constants and later on executed as shellcode. ‍ Box.ini Process Injection The shellcode is executed using a classic technique called Process Injection.The routine begins by verifying the presence of explorer.exe, which is later used as the target process. The binary is launched in suspended state and the malware retrieves the initial thread context. Further it allocates executable memory inside the remote process via VirtualAllocEx and writes the payload via WriteProcessMemory. The LogStatus function implements an internal logging mechanism used throughout the DLL to record execution progress and error states. The function formats a timestamped log message, appends it to a local file (C:\data.db), and applies a lightweight custom obfuscation before writing it to disk. Stage - 3 : DonutLoader Encrypted Payload in memory The injected payload can be dumped by attaching a debugger to the hollowed explorer.exe process and monitoring the memory region allocated via VirtualAllocEx. Once the payload is written using WriteProcessMemory and execution is redirected, the allocated region can be dumped directly from memory, yielding the next stage payload for analysis. Decrypted Payload Looking through the decrypted payload we find that the final payload is a Donut generated shellcode. In this setup, Donut is used to wrap a managed payload into raw shellcode, allowing it to be executed entirely from memory without touching disk. DonutLoader We can dump the Donut payload by using tools like undonut or donut-decryptor . Stage - 4 : Valley RAT After the Donut loader successfully injects the final payload into the hollowed explorer.exe process, Valley RAT initializes its sophisticated configuration management subsystem. It starts off by setting anti analysis procedures and then invokes a function sub_405E40() to initialize it’s configuration and later create a thread for C2 communication. C2 Configuration The function implements a two stage loading mechanism. It extracts 22 distinct configuration parameters through a parsing function. Stage 1 Command & Control Infrastructure (9 parameters): p1:, p2:, p3: - Three-tier C2 server addresses (correlates with b[.]yuxuanow[.]top identified in network analysis) o1:, o2:, o3: - Corresponding port numbers for each C2 tier t1:, t2:, t3: - Connection type flags (1 = HTTP/HTTPS, 0 = raw TCP socket) Operational Parameters (5 parameters): dd: - Initial sleep delay (seconds) before first C2 contact cl: - Callback interval (seconds) between beaconing attempts bb: - Build/bot version identifier (observed: 1.0) bz: - Backup C2 address fz: - Unknown parameter Feature Flags (8 boolean parameters): kl: - Keylogger (1 = enabled, 0 = disabled) sh: - Remote shell access (1 = enabled, 0 = disabled) bd: - Full backdoor mode (1 = enabled, 0 = disabled) dl: - Download/file transfer capability jp:, sx:, bh:, ll: - Additional feature toggles Stage 2 After loading the embedded configuration, Valley RAT queries the Windows registry for updated C2 infrastructure: Persistence If the registry value exists and exceeds 10 bytes, Valley RAT completely replaces its embedded configuration, then re-parses only the critical C2 parameters (p1 through t3). This allows Silver Fox operators to push updated C2 addresses without deploying new binaries or regaining code execution After the configuration is loaded. Valley RAT spawns its payload thread(StartAddress) which implements a 3 tier C2 communication loop. C2 Communication The communication loop implements multi-tier failover by alternating between primary (p1) and secondary (p2) C2 servers, switching to tertiary (p3) after 200 failures. It supports both HTTP/HTTPS and raw TCP protocols, uses configurable beaconing intervals (cl:) to reduce detection, and delays initial connection (dd:) to evade sandboxes. Upon successful connection, Valley RAT sends a "ready" beacon (command ID: 4), enables keylogging if configured (kl: flag), and waits for C2 commands. This architecture maps to the discovered infrastructure: b[.]yuxuanow[.]top (103.20.195[.]147) as primary shellcode C2, with secondary/tertiary tiers rotating through domains like itdd[.]club, gov-a[.]work, and xzghjec[.]com. Valley RAT implements a modular plugin architecture that enables dynamic capability extension through registry-based persistence. The malware stores downloaded plugins in HKCU\Console\0\d33f351a4aeea5e608853d1a56661059 a registry value name consistent with Valley RAT's established fingerprint , following the MD5 hash naming convention observed across multiple Valley RAT campaigns. The plugin manager operates in two modes: it either receives modules from the C2 server, allocates executable memory with PAGE_EXECUTE_READWRITE permissions, and persists the 2628-byte configuration plus payload code to the registry as REG_BINARY data, or it retrieves previously stored plugins from the registry, validates them against a hardcoded signature, and spawns execution threads. Each plugin includes a magic byte guard (0xC9) to prevent double-execution. This architecture allows Silver Fox operators to deploy specialized capabilities such as advanced keylogging, credential harvesting, or lateral movement modules on-demand to compromised systems, with automatic persistence across reboots through registry storage. Tracerpt Injection After downloading plugins from the C2 server, Valley RAT injects them into tracerpt.exe, a legitimate signed Microsoft utility, using the same process hollowing. The malware creates the process in a suspended state, injects the plugin code into its memory, and redirects execution to the malicious payload. Before injection, it patches the plugin with the same 4768-byte configuration containing C2 addresses and feature flags analyzed earlier. Pivoting Let’s start with the C2 embedded within the decoy document “ggwk[.]cc”. The C2 has 2 different titles over time, all of them in-line with the Income-tax-themed phishing lure, both from the same ASN. However, there’s a common denominator - the favicon. We found 10+ domains that share the same favicon. If we look at the http response titles, we can see that all the titles are Income-tax-themed. The results can be validated against VT to discover additional samples from this campaign. Refer to the IOCs section below. Diamond Model ‍ Impact High risk of long-term undetected compromise: Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise. Dynamic threat evolution post-infection: Attackers can upgrade capabilities (keylogging, credential theft, lateral movement) without taking initial access again or malware redeployment. Infrastructure-based blocking is brittle: Tiered C2 failover and protocol switching reduce the effectiveness of static IP/domain blocking. Reduced visibility for incident response: In-memory execution combined with registry-based persistence complicates timeline reconstruction and malware eradication. Elevated data security risk: On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value. Recommendations Monitor registry abuse as a persistence layer: Alert on executable REG_BINARY blobs and anomalous values under non-standard paths such as HKCU\Console\*, especially those written by user processes. Detect multi-tier C2 logic, not just domains: Build detections for retry-heavy outbound connections, protocol switching (HTTP ↔ raw TCP), delayed first beacon, and repeated failures followed by fallback behavior. Instrument memory-permission anomalies: Alert on processes allocating PAGE_EXECUTE_READWRITE memory followed by thread creation, particularly inside explorer.exe. Hunt for signed binary + local DLL load patterns: Correlate execution of signed binaries from temp directories with unsigned DLL loads and immediate child thread creation. ‍ Treat RAT feature enablement as an alerting signal: Monitor sudden activation of keylogging APIs, interactive shell behavior, or file transfer operations within long-running, previously quiet processes. Appendix IOCs Indicator Type Indicator Comments Sha256 Hash 77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2 Stage 1 Sha256 Hash fa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19 Stage 2 Sha256 Hash f74017b406e993bea5212615febe23198b09ecd73ab79411a9f6571ba1f94cfa Stage 3 Sha256 Hash 068e49e734c2c7be4fb3f01a40bb8beb2d5f4677872fabbced7741245a7ea97c Stage 4 Domain ggwk[.]cc Embedded Domain Within Decoy Attachment Domain b[.]yuxuanow[.]top Shellcode C2 IP 45.207.231[.]94 Resolution from ggwk[.]cc IP 103.20.195[.]147 Resolution from b[.]yuxuanow[.]top ‍ ‍ Silver Fox Infrastructure Found After Pivoting Indicator Type Indicator IP Address Domain itdd[.]club 45.207.231[.]107 Domain xzghjec[.]com 8.217.9[.]165 Domain gov-a[.]work 160.124.9[.]103 Domain gov-a[.]fit 160.124.9[.]103 Domain gvo-b[.]club 160.124.9[.]103 Domain gov-c[.]club 160.124.9[.]103 Domain gov-a[.]club 160.124.9[.]103 Domain govk[.]club 160.124.9[.]103 Domain dingtalki[.]cn 47.239.225[.]43 Domain hhiioo[.]cn 43.100.22[.]158 Domain kkyui[.]club 43.100.22[.]158 Domain hhimm[.]work 43.100.22[.]158 Domain swjc2025bjkb[.]cn 43.100.123[.]207 Domain 2025swmm[.]cn 43.100.123[.]207 Domain hhiioo[.]work 43.100.63[.]145 ‍ ‍ MITRE Mapping ATT&CK Tactic Technique ID Technique Name Evidence from Report Initial Access T1566.001 Phishing: Spearphishing Attachment Income-tax themed PDF delivered via email Initial Access T1204.002 User Execution: Malicious File User opens PDF leading to payload download Execution T1059 Command and Scripting Interpreter NSIS installer-driven execution logic Execution T1106 Native API Use of GetTempPathA, VirtualAllocEx, WriteProcessMemory Execution T1129 Shared Modules Signed Thunder.exe loads malicious DLL Execution T1620 Reflective Code Loading Donut-generated shellcode executed entirely from memory Persistence T1547.001 Registry Run Keys / Startup Folder Registry-stored plugins persist across reboots Persistence T1112 Modify Registry Configuration and plugins stored as REG_BINARY values Defense Evasion T1574.001 DLL Search Order Hijacking Malicious libexpat.dll loaded from writable directory Defense Evasion T1218 Signed Binary Proxy Execution Abuse of digitally signed third-party binary Defense Evasion T1027 Obfuscated Files or Information Encrypted payload (box.ini) decrypted at runtime Defense Evasion T1497 Virtualization/Sandbox Evasion Anti-debugging, resource checks, sandbox detection Defense Evasion T1562.001 Disable or Modify Tools Stops Windows Update service (wuauserv) Discovery T1057 Process Discovery Enumerates processes to detect analysis tools Discovery T1082 System Information Discovery System resource and environment checks Command and Control T1071.001 Web Protocols HTTP/HTTPS C2 communication Command and Control T1095 Non-Application Layer Protocol Raw TCP socket C2 supported via t* flags Command and Control T1105 Ingress Tool Transfer Plugins and modules delivered from C2 Command and Control T1573 Encrypted Channel Encrypted configuration and payloads Command and Control T1008 Fallback Channels Three-tier C2 with failover after connection failures Command and Control T1041 Exfiltration Over C2 Channel Keylogging and command responses sent over C2 Collection T1056.001 Input Capture: Keylogging Keylogger enabled via kl feature flag Impact T1489 Service Stop Windows Update service disabled References * Intelligence source and information reliability - Wikipedia # Traffic Light Protocol - Wikipedia https://x.com/malwrhunterteam/status/2002002468612280755 https://archive.ph/TJFVy Valley RAT https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/ ‍ ‍ Prajwal Awasthi Prajwal is a Malware Analyst at Cloudsek, specializing in reverse engineering and threat intelligence. He focuses on uncovering new threats through malware research, with a background in Offensive Security and Windows Internals. Koushik Pal Threat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to uncover attacker motives, methods, and operations. Subscribe to CloudSEK Resources Get the latest industry news, threats and resources.