Silver Fox Campaign Targets India With Tax Themed Phishing Lures and Remote Access Malware

By Ash K
Silver Fox Campaign Targets India With Tax Themed Phishing Lures and Remote Access Malware

A threat actor known as Silver Fox has been observed targeting individuals and organisations in India using tax themed phishing campaigns designed to deliver remote access malware. The activity, uncovered through recent threat research, shows a focused effort to exploit trust in government related communications, particularly around taxation and compliance.

The campaign highlights how attackers continue to weaponise locally relevant themes to increase success rates, combining social engineering with multi stage malware delivery techniques.

Overview of the Silver Fox campaign

The Silver Fox operation relies on phishing emails crafted to appear as legitimate tax related notices. These messages lure victims into downloading malicious files disguised as official documents or executables. Once executed, the payload establishes remote access, giving attackers persistent control over the compromised system.

Researchers note that the campaign shows signs of careful planning, with decoy content embedded to evade detection and infrastructure designed to support command and control communications.

Tax themed phishing as an entry point

The phishing emails leverage themes such as tax refunds, assessments, or compliance notices, which are particularly effective in India during tax filing periods. Victims are prompted to open attachments or click links that appear to relate to official tax matters.

These lures exploit urgency and authority, increasing the likelihood that recipients will bypass caution and interact with the malicious content.

Malware delivery and execution

Once the phishing lure is successful, victims are directed to download a malicious executable. In observed cases, a file named “tax affairs.exe” was used as the initial payload. This executable then loads a malicious dynamic link library, enabling further stages of the attack.

The malware is associated with ValleyRAT, a remote access trojan that allows attackers to execute commands, harvest data, and maintain long term access to infected systems.

Persistence and control mechanisms

After execution, the malware establishes persistence using registry based storage. Plugins and additional components are stored in binary form within user specific registry paths, allowing the malware to survive reboots and evade simple file based detection.

Command and control traffic is routed through attacker controlled domains and IP addresses, some of which are shared across multiple stages of the campaign.

Indicators of Compromise

The following indicators have been linked to the Silver Fox campaign targeting India. These can be used by defenders to aid detection, hunting, and response activities.

File Hashes (SHA256)
Stage specific payloads observed include:
77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2 (Stage 1)
fa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19 (Stage 2)
Additional hashes related to later stages have also been identified.

Malicious Domains
ggwk[.]cc – decoy embedded in PDF and used for command and control
b[.]yuxuanow[.]top – shellcode command and control endpoint
Multiple additional domains have been observed sharing the same favicon, indicating related infrastructure.

IP Addresses
103.20.195[.]147 – observed resolving for b[.]yuxuanow[.]top
45.207.231[.]94 – observed resolving for ggwk[.]cc
Other command and control IPs have been identified during analysis.

File Names
tax affairs.exe – initial malicious executable delivered via phishing lure
libexpat.dll – malicious DLL loaded by Thunder.exe during execution

Registry Paths
HKCU\Console\33f351d4aeede5e608853d1d56661059
This registry key is used to store binary plugin data and maintain persistence for ValleyRAT.

Why this campaign is concerning

The Silver Fox activity demonstrates how threat actors continue to refine phishing campaigns by aligning them closely with local administrative and financial processes. The use of registry based persistence and staged payloads complicates detection and cleanup efforts.

Remote access malware deployed in this way can enable data theft, surveillance, and further lateral movement within affected environments.

Defensive recommendations

Organisations and individuals should be cautious of unsolicited tax related emails, particularly those urging immediate action or attachment downloads. Executables should never be run from email sources, even if they appear to reference official matters.

From a defensive standpoint, monitoring for the listed indicators, restricting execution of unknown binaries, and auditing suspicious registry modifications can help identify infections early.

Looking ahead

As tax themed lures continue to prove effective, similar campaigns are likely to persist, especially during filing seasons. The Silver Fox campaign serves as a reminder that social engineering remains a powerful initial access vector, even as technical controls improve.

Continued threat intelligence sharing and user awareness will be critical in reducing the impact of such targeted phishing operations.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.