Chinese threat actors operating under the name Silver Fox are targeting Indian organizations through sophisticated phishing campaigns that impersonate legitimate income tax documents. <\/p>\n
The attack campaign uses authentic-looking Income Tax Department emails to trick users into downloading a malicious executable disguised as a tax-related file. <\/p>\n
Once clicked, victims are redirected to a command-and-control server, which initiates a complex infection chain designed to bypass security defenses and establish persistent access to compromised systems.<\/p>\n
The attack begins with a deceptive email<\/a> containing a PDF attachment bearing an Indian company name. When opened, the PDF leads to a malicious website that downloads a file named \u201ctax_affairs.exe\u201d. <\/p>\n This initial payload serves as a loader for multiple stages of malware, each designed to hide its true purpose while maintaining deep access to victim systems. <\/p>\n The threat demonstrates how attackers leverage socially engineered documents combined with trusted file formats to overcome traditional security controls.<\/p>\n CloudSEK analysts identified<\/a> the malware in the second paragraph of the investigation, revealing that the campaign had previously been misattributed to other threat groups. <\/p>\n The discovery highlights how accurate threat attribution prevents organizations from deploying incorrect defensive measures against the actual adversary. <\/p>\n Understanding the true source of attacks enables security teams to anticipate future tactics and implement targeted countermeasures specific to Silver Fox\u2019s operational patterns.<\/p>\n The infection mechanism relies on a technique called DLL hijacking<\/a> to activate the main payload. The first stage drops a legitimate executable called Thunder.exe, developed by the Chinese software company Xunlei. <\/p>\n This signed binary is weaponized by placing a malicious DLL file named libexpat.dll in the same temporary directory. When Thunder.exe runs, Windows loads the fake DLL instead of the genuine one due to the default DLL search order, executing the attacker\u2019s code while appearing completely legitimate.<\/p>\n The malicious DLL implements extensive anti-analysis capabilities before engaging in actual infection activities. <\/p>\n It scans running processes to detect security research tools and sandboxes<\/a>, then checks system resources to ensure the machine meets minimum requirements for infection. If analysis tools are found, the malware terminates itself to avoid detection. <\/p>\n Once the system passes these checks, the DLL disables Windows Update services and loads an encrypted file called box.ini from the temporary directory. <\/p>\n This encrypted payload is decrypted using hardcoded cryptographic keys<\/a> and executed as raw machine code directly in system memory, leaving minimal traces on the hard drive.<\/p>\n The final payload is Valley RAT, a remote access tool that establishes a permanent command and control infrastructure on infected systems. <\/p>\n Valley RAT uses a sophisticated three-tier failover system to maintain contact with attacker servers, automatically switching between primary, secondary, and tertiary command centers if connections fail. <\/p>\n The malware stores its configuration in the Windows registry<\/a> as binary data, allowing attackers to update command and control addresses without reinstalling the malware. <\/p>\n It supports multiple communication protocols, including HTTP, HTTPS, and raw TCP sockets, making it difficult to block using simple network filtering. <\/p>\n Once installed, Valley RAT can execute attacker commands, capture keyboard input, harvest credentials<\/a>, transfer files, and deploy additional malicious modules on demand. <\/p>\n The modular architecture allows operators to customize each infection with specialized capabilities tailored to the target\u2019s value and role within the compromised organization, making this a particularly dangerous threat to Indian enterprises.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Silver Fox Hackers Attacking Indian Entities with Income Tax Phishing Lures<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Kill](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgvPVQRwAig10DDQWTCDnlGTzk6xuPCVKiXxUBGyim3LoFqh0hAJ3s8ONB5Gv_9scQT8dgXuM5QUoWS1x6JCNFDV6wLMrlOAZBjgC4huFgb4L09NULCTiTDrhJqA_dxPJSkAl8XPA1U_O0m7f_GGU2NUyEqP4URg4FrfOw9-Wrq4YM32qneaHRztQmxIC8\/s16000\/Kill%2520chain%2520%28Source%2520-%2520CloudSEK%29.webp?ssl=1\")
DLL hijacking<\/strong><\/h2>\n
![\"PDF](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3Bn_X0ZOu4uSvavYZlPX2tfmqd1c7jTEfIv6a95ew4GE6BwkTdA_knQbfY26J-inN-DQjODrlT-k0HjEJs-l0UqiVGyOpABO-9Fb17-uPUrhLg-IN5KbQH1e9wawNDYswsDWQR4gqerGfoBzwooqp9Jw0KsoFLnI6D2uTNZF1tc85Oacrydd7cRcPW8Y\/s16000\/PDF%2520Decoy%2520%28Source%2520-%2520CloudSEK%29.webp?ssl=1\")
![\"Process](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEirbnblI09qYeiJSua5MJl8dbmqAgPbOaEONFBQFMb8s6bKBMTAKe5_3Imsv4-kZQPi6rCb94jaG_Y_whEDmwhCWc_RCsTSFK93JE5M4cHIjxsiJMLcTrEdT3qASJ56BbE2IP8_Pij0qGVtzL8TcAaC7TwBo7eGM0X-FjU-xFmwQvUGd6jxw_JxXQMBk_o\/s16000\/Process%2520Injection%2520%28Source%2520-%2520CloudSEK%29.webp?ssl=1\")