SilverFox

SilverFox is a Chinese-speaking, Chinese-origin threat actor assessed in the provided reporting as targeting primarily Chinese-speaking users, including mainland Chinese users, and also organizations and users in Taiwan and Japan. Multiple sources in the content describe the group as China-based or Chinese-nexus; one source characterizes it as a suspected financially motivated threat actor with infrastructure inside and targeting China. Reported malware associated with SilverFox includes ValleyRAT, Winos 4.0, Gh0stRAT/Ghost RAT, HoldingHands RAT (Gh0stBins), Gh0stCringe RAT, and RustyStealer. The content also notes the alias YouSnake. Across the cited campaigns, SilverFox commonly uses social engineering and trojanized software distribution. Observed lures include fake Microsoft Teams download sites shared on X, trojanized installers masquerading as Trend Micro Titanium, trojanized Arma 3 server software, fake censorship-bypass tools, HR and disciplinary-investigation documents, banking fraud guidance, fake meeting-room reservation software, Telegram and Doubao AI installers, game cheats, Cloudflare tunnel installers, Oray remote desktop tools, and politically themed documents. The group has used Chinese-language lure content extensively and in some cases geofenced execution to Chinese locales. Execution and evasion techniques described in the content include NSIS installers, modified WinRAR SFX archives, DLL sideloading via legitimate binaries such as Tencent GameBox.exe, WeChat components, and techps.exe, process hollowing and injection, reflective loading, API hashing, AES and XOR decryption of staged payloads in memory, custom VM-based obfuscation, anti-debugging and anti-VM checks, forged metadata and timestamps, hidden files and directories, Windows Defender exclusions via PowerShell Add-MpPreference, persistence via services, Run keys, scheduled tasks, COM hijacking, and registry-based configuration or persistence indicators. SilverFox has also been reported using BYOVD to terminate security processes and, in one Check Point summary, compromised PHP servers exposed to remote code execution to install ValleyRAT via msiexec from a remote MSI URL. Reported post-compromise capabilities include remote shell access, file upload and download, screen capture, keylogging, clipboard theft and monitoring, active-window/activity logging, credential harvesting, system fingerprinting and discovery, and exfiltration of collected data to command-and-control infrastructure. One campaign also included cryptocurrency clipboard hijacking. Infrastructure described in the content spans Tencent Cloud historically, with later use of AWS Hong Kong, Alibaba Cloud, Huawei Cloud, SonderCloud, Cloudbays, Fastmos, Vultr Singapore, SpeedVM/LeaseKVM, ANTBOX Networks, Amazon S3, and domains such as usd56789.com, cn-teams.com, vbnghyyttz.cn, aikkk.net, ios163.com, qn666.us, and cdklskjd.cn. Several reports highlight recurring Chinese-oriented infrastructure patterns and OPSEC failures, including WHOIS records naming Peng Benbo and the email di823748@163.com. The content links SilverFox strongly to ValleyRAT/Winos 4.0 activity and notes lineage from Gh0stRAT. It also references sub-group or campaign labels including Trojan/SilverFox.bg[qtsc] and mentions the alias YouSnake. High-confidence victimology and tradecraft in the provided material center on Chinese-speaking targets, with additional targeting of Taiwan and Japan.