10 minhigh
Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware
Silver Fox (also known as Void Arachne) is a China-based threat actor conducting dual-purpose campaigns in South Asia that blend financial cybercrime with APT-style espionage. Recent operations leverage tax-themed phishing to deliver evolving payloads, transitioning from the ValleyRAT backdoor to abused legitimate RMM tools, and most recently, a custom Python-based stealer disguised as a WhatsApp application.
Sens:▲ 24hConf:highAnalyzed:2026-03-24reports
Authors: Sekoia TDR
ActorsSilver FoxVoid ArachneValleyRATWinosHoldingHandsGh0st RATBlackmoonCleverSoarNidhogg rootkit
Source:
Sekoia.io
IOCs · 4
- domain9010[.]360sdgg[.]comCommand and Control (C2) server associated with ValleyRAT.
- domainxqwmwru[.]topCommand and Control (C2) server for the custom Python-based stealer mimicking WhatsApp.
- sha256e2b75baeb7ed21fb8f27984f941286770d1c3c0b60fce8d7fa5b167bd24ba6dcMalicious PDF document impersonating Taiwanese tax authorities used to deliver ValleyRAT.
- urlhxxps://6-1321729461[.]cos[.]ap-guangzhou[.]myqcloud[.]com/lnstaller.msiCloud storage URL used to host the second-stage payload.
Key Takeaways
- Silver Fox transitioned its payload delivery from ValleyRAT to abused legitimate RMM tools, and most recently to a custom Python-based stealer disguised as WhatsApp.
- The threat actor consistently uses culturally relevant tax authority and payroll lures to target entities across South Asia.
- Silver Fox maintains a dual-track operational model, conducting both sophisticated APT-style espionage and opportunistic, financially motivated cybercrime.
- The group exploits a misconfiguration in a legitimate Chinese RMM tool to pass C2 parameters directly via the executable's filename (e.g., [ipv4]ClientSetup.exe).
Affected Systems
- Windows
Attack Chain
The attack begins with tax-themed phishing emails containing either malicious PDFs or links to fake tax authority websites. In earlier waves, a PDF triggered a ZIP download containing a shellcode DLL and executable to deploy ValleyRAT. Later waves directed victims to download an archive containing a legitimate, misconfigured Chinese RMM tool that extracts its C2 address from its own filename. Most recently, the payload shifted to a custom Python stealer that mimics WhatsApp, collecting system artifacts and exfiltrating them to a C2 server.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides extensive Indicators of Compromise (IOCs) including file hashes, domains, and IP addresses, but does not include pre-written detection rules.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can detect the execution of anomalous binaries (like the Python stealer or renamed RMM tools), DLL side-loading, and the creation of specific file paths like C:\WhatsAppBackup. Network Visibility: High — The use of specific User-Agents (WhatsAppBackup/1.0), known C2 domains, and predictable URL patterns (/upload_large.php) provides strong network detection opportunities. Detection Difficulty: Moderate — While the threat actor uses legitimate RMM tools and signed binaries to evade initial detection, the predictable file naming conventions, specific drop paths, and custom User-Agents make behavioral detection feasible.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Network Connections (Sysmon 3)
- DNS Queries (Sysmon 22)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Hunt for process executions where the filename matches an IPv4 address pattern followed by 'ClientSetup.exe', indicating potential RMM abuse. | Process Creation (Event ID 4688 / Sysmon 1) | Execution | Low |
| Search for network connections utilizing the custom User-Agent 'WhatsAppBackup/1.0', which is associated with the Python stealer. | Network Connections / Web Proxy Logs | Command and Control | Low |
| Look for the creation of unexpected ZIP or lock files in the C:\WhatsAppBackup\ or %TEMP% directories, specifically 'WhatsAppData.zip' or 'whatsapp_backup.lock'. | File Creation (Sysmon 11) | Collection | Low |
| Identify PDF reader applications initiating network connections to cloud storage domains like myqcloud.com, suggesting a malicious PDF downloading a second-stage payload. | Network Connections (Sysmon 3) | Execution | Medium |
Control Gaps
- Email filtering bypassing due to hijacked legitimate sender addresses
- Application control allowing execution of signed but vulnerable/misconfigured RMM tools
Key Behavioral Indicators
- Filename containing an IPv4 address (e.g., 45.119.55.66ClientSetup.exe)
- User-Agent: WhatsAppBackup/1.0
- File path C:\WhatsAppBackup\WhatsAppData.zip
- PE signature thumbprint F9EAAB0F05BD38A251427A05F95386CA7CEDDCE8
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block all provided C2 IP addresses and phishing domains at the firewall and web proxy.
- Search endpoint telemetry for the presence of the identified file hashes and specific file paths (e.g., C:\WhatsAppBackup).
Infrastructure Hardening
- Implement application control to block unauthorized RMM tools, even if digitally signed.
- Restrict access to cloud storage domains (e.g., myqcloud.com) if not required for business operations.
User Protection
- Deploy EDR solutions configured to detect DLL side-loading and anomalous child processes spawned from PDF readers or archive utilities.
- Ensure email security gateways are configured to inspect links and attachments for known malicious patterns.
Security Awareness
- Train employees to recognize tax-themed phishing lures and verify the authenticity of unexpected financial or audit-related emails.
- Educate users on the risks of downloading software from unofficial sources or links embedded in emails.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1204.002 - User Execution: Malicious File
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1219 - Remote Access Software
- T1005 - Data from Local System
- T1048 - Exfiltration Over Alternative Protocol
Additional IOCs
- Ips:
154[.]201[.]87[.]124- Fake WhatsApp Python stealer C2 IP address154[.]201[.]87[.]75- Phishing website IP hosting the Python stealer115[.]187[.]17[.]212- RMM tool C2 extracted from filename112[.]121[.]183[.]102- RMM tool C2 extracted from filename156[.]251[.]18[.]45- RMM tool C2 extracted from filename206[.]238[.]178[.]116- RMM tool C2 extracted from filename112[.]213[.]120[.]164- RMM tool C2 extracted from filename47[.]85[.]99[.]19- RMM tool C2 extracted from filename216[.]250[.]104[.]166- RMM tool C2 extracted from filename45[.]119[.]55[.]66- RMM tool C2 extracted from filename69[.]30[.]250[.]99- RMM tool C2 extracted from filename103[.]228[.]12[.]151- RMM tool C2 extracted from filename103[.]97[.]128[.]142- RMM tool C2 extracted from filename156[.]254[.]5[.]118- RMM tool C2 extracted from filename156[.]251[.]18[.]238- RMM tool C2 extracted from filename112[.]121[.]183[.]106- RMM tool C2 extracted from filename45[.]119[.]55[.]112- RMM tool C2 extracted from filename115[.]187[.]17[.]68- RMM tool C2 extracted from filename103[.]231[.]12[.]45- RMM tool C2 extracted from filename103[.]97[.]128[.]103- RMM tool C2 extracted from filename45[.]194[.]37[.]147- RMM tool C2 extracted from filename220[.]167[.]103[.]145- RMM tool C2 extracted from filename103[.]97[.]128[.]109- RMM tool C2 extracted from filename130[.]250[.]191[.]46- RMM tool C2 extracted from filename103[.]203[.]48[.]174- RMM tool C2 extracted from filename154[.]91[.]84[.]3- RMM tool C2 extracted from filename93[.]127[.]142[.]77- RMM tool C2 extracted from filename220[.]167[.]103[.]160- RMM tool C2 extracted from filename154[.]12[.]87[.]28- RMM tool C2 extracted from filename150[.]109[.]79[.]82- RMM tool C2 extracted from filename220[.]167[.]103[.]158- RMM tool C2 extracted from filename170[.]205[.]54[.]88- RMM tool C2 extracted from filename116[.]213[.]43[.]23- RMM tool C2 extracted from filename103[.]231[.]12[.]23- RMM tool C2 extracted from filename222[.]186[.]190[.]138- RMM tool C2 extracted from filename103[.]70[.]76[.]130- RMM tool C2 extracted from filename154[.]44[.]28[.]175- RMM tool C2 extracted from filename
- Domains:
ksdfuefagfrukayhfka[.]eu[.]cc- Phishing website used by Silver Foxrdhrse[.]qpon- Phishing website used by Silver Foxgooglevip[.]icu- Phishing website used by Silver Foxoytdwzz[.]shop- Phishing website used by Silver Foxcocdex[.]cn- Phishing website used by Silver Foxnao[.]nnnwin[.]vip- Phishing website used by Silver Foxgooglehfgj[.]cyou- Phishing website used by Silver Foxfhauifhyileydhfl[.]com- Phishing website used by Silver Foxmegamovielord[.]com- Phishing website used by Silver Foxfzdoor[.]vip- Phishing website used by Silver Foxamvcoins[.]vip- Phishing website used by Silver Foxpeyvz[.]com- Phishing website used by Silver Foxsdyteq[.]shop- Phishing website used by Silver Foxksudeu[.]nanguanglu[.]com- Phishing website used by Silver Foxdomainct[.]com- Phishing website used by Silver Foxhost-hunter[.]com- Phishing website used by Silver Foxdomainca[.]top- Phishing website used by Silver Foxfghs[.]shlowcarbon[.]com- Phishing website used by Silver Foxjinmai[.]vip- Phishing website used by Silver Foxopkllasyy[.]shop- Phishing website used by Silver Foxfdfhddfss[.]top- Phishing website used by Silver Foxudste[.]xidyuyedg[.]qpon- Phishing website used by Silver Foxswy[.]juanseguros[.]com- Phishing website used by Silver Foxprimetechstocks[.]com- Phishing website used by Silver Foxjuanseguros[.]com- Phishing website used by Silver Foxmohaazon[.]com- Phishing website used by Silver Foxfkfjrvfa[.]cn- Phishing website used by Silver Foxzibenbang[.]vip- Phishing website used by Silver Foxzptsgryw[.]cn- Phishing website used by Silver Foxbetooo[.]vip- Phishing website used by Silver Foxczxfdz[.]com- Phishing website used by Silver Foxsgeshex[.]vip- Phishing website used by Silver Foxeaxwwyr[.]cn- Phishing website used by Silver Foxwwfygid[.]biz[.]id- Phishing website used by Silver Foxsgegdvip[.]vip- Phishing website used by Silver Foxmorecoworking[.]com- Phishing website used by Silver Foxgov[.]incometax[.]click- Phishing website used by Silver Foxyigushengjin[.]com- Phishing website used by Silver Foxgofjasj[.]help- Phishing website used by Silver Foxisyraw[.]quidoaehse[.]icu- Phishing website used by Silver Foxxueshirencai[.]com- Phishing website used by Silver Foxwgooglegoogle[.]com- Phishing website used by Silver Foxgfmqvip[.]vip- Phishing website used by Silver Foxyvxyngw[.]cn- Phishing website used by Silver Fox
- Urls:
hxxps://00-1321729461[.]cos[.]ap-guangzhou[.]myqcloud[.]com/2024.7z- Cloud storage URL hosting malicious archivehxxps://xqwmwru[.]top/upload_large.php- Python stealer data exfiltration endpointhxxps://xqwmwru[.]top/upload_status.php- Python stealer data exfiltration endpointhxxps://xqwmwru[.]top/admin/login.php- Python stealer C2 login panel
- File Hashes:
055c3fff8f1f58a41e7571b9bd7ebf4b1b10ba5231f1ffbcb47e0307d7ff6072(SHA256) - Archive dropping RMM tool06ecf34ecf1f3f56a1760b8757b978d6bd859adcf699af4adfbeb0982e41282a(SHA256) - Archive dropping RMM tool18cb036bcc7aacf7393575ddf15133e24d3a22cc92a4b14e8595686e4bf80629(SHA256) - Archive dropping RMM tool249d2d1d6cfcf34d48ac0465ede688759a3c90b7412723373ea5a434d6d64c9c(SHA256) - Archive dropping RMM tool2a4eab726a878a74dcad41d090681a7fa78d9247b1812e5c3066d7a1aa0413b1(SHA256) - Archive dropping RMM tool316cbc90ad71a421e571b529af2dee40f901b15b4bc549836c25f1be35597249(SHA256) - Archive dropping RMM tool36e0368dd4c3c9c70a78050618797705cda87a017e41777968c6b4b9173f553f(SHA256) - Archive dropping RMM tool3f8e2ef8a5e7b8f8d14e43032ad2b18f0a4fb168609494fd346dcdfe1127a5cd(SHA256) - Archive dropping RMM tool616be8ba3383909b2b04c87bcb9ca0707f5a19a8eaa6fc1e552181baa4e3e0aa(SHA256) - Archive dropping RMM tool75bf89f0369b6eef1e2931e6da67a9d4f3095b9a623e6e8fdddf7fee66cc7cc0(SHA256) - Archive dropping RMM tool80f7f10bcddafaec497a2de78dd3d2a53b72f27bb72e7939443539115f7e2168(SHA256) - Archive dropping RMM tool8c54e6d91d95885beae125b30ab9096bd341e12be08dec3aeb859e539dc77d47(SHA256) - Archive dropping RMM tool98be97a6f4663d04cf5382f4ed046b479af1dd300d0ab3fa7a399ab15078d7a0(SHA256) - Archive dropping RMM toola6fd51bf2da2c2544ff78ef1824c30d4feef9a77c824f36d9afd2c6093c9b6ae(SHA256) - Archive dropping RMM toola8d193e49e6c9c6d7c32ea807d22311bd1b110f2326b8a96c67978ecc6862ee6(SHA256) - Archive dropping RMM toola8edb8fb1cf83031a454b5f39ffab0b1d93448cb3b9794246507e35ba0036801(SHA256) - Archive dropping RMM toolae243178e201c6ee475e4498cade0d21ef22b8a6923322576115b0888e189013(SHA256) - Archive dropping RMM toolaed5ce23aa11f28e063c8b1b0836d3dbd059d93867e8e828a8356770ee185d1b(SHA256) - Archive dropping RMM toold49bd211364594c671c4e34a31afb75becc69b32b45b140ed0d200f4b05868c6(SHA256) - Archive dropping RMM toold91ea2ec158e871408229ec2f7a8fe78a8d30ed0db42f73fe9e31875b30b17c2(SHA256) - Archive dropping RMM tooleb4a53145734d1ef612897337b1fc3375209598c427590731bb87de3bd8f9bb0(SHA256) - Archive dropping RMM toolfc43d1640d94ef621c82a4d3a0406df3443b39043c4ddef0a23608c186c307e8(SHA256) - Archive dropping RMM tool
- File Paths:
c:\users\public\download\bb.jpg- ValleyRAT configuration file downloaded to public directoryC:\WhatsAppBackup\WhatsAppData.zip- Archive created by the Python stealer containing exfiltrated data%TEMP%\whatsapp_backup.lock- Lock file created by the Python stealerpython311.dll- Shellcode DLL used to execute the final stage查看10.exe- Executable dropped alongside the shellcode DLL
- Other:
WhatsAppBackup/1.0- Custom User-Agent used by the Python stealer