Sign in Subscribe
Crypto

Chinese Cybercrime Group Uses Income-Tax Phishing to Deploy ValleyRAT in India

Explore

3 min read
Chinese Cybercrime Group Uses Income-Tax Phishing to Deploy ValleyRAT in India — Blogger.googleusercontent.com
Source: Blogger.googleusercontent.com

A China-linked cybercrime group tracked as Silver Fox has turned its focus to India, deploying income tax-themed phishing emails to deliver a modular remote access trojan known as ValleyRAT, researchers at CloudSEK and other security firms have reported.

CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week that the campaign leverages a complex kill chain that includes DLL hijacking and a modular RAT to ensure persistence on compromised hosts.

Silver Fox — also tracked under labels including SwimSnake, The Great Thief of Valley, UTG-Q-1000 and Void Arachne — has been active since 2022. The group has executed campaigns with diverse motives ranging from espionage and intelligence collection to financial gain, cryptocurrency mining and operational disruption, making it notable for a multi-pronged approach to intrusion activity. Although the actor has primarily targeted Chinese-speaking individuals and organisations, its victimology has expanded to include public, financial, medical and technology sectors.

CloudSEK documented an infection chain that begins with phishing emails containing decoy PDF attachments purporting to originate from India's Income Tax Department. Recipients who open the PDF are redirected to the ggwk[.]cc domain, where a ZIP archive named "tax affairs.zip" is downloaded.

The archive contains a Nullsoft Scriptable Install System (NSIS) installer named "tax affairs.exe." That installer uses a legitimate executable associated with the Thunder download manager for Windows (thunder.exe) alongside a rogue DLL (libexpat.dll) that is sideloaded by the binary.

The malicious DLL performs several actions before delivering the final payload: it disables the Windows Update service, conducts anti-analysis and anti-sandbox checks, and acts as a conduit for a Donut loader. The loader then injects the ValleyRAT payload into a hollowed explorer.exe process.

Once deployed, ValleyRAT establishes communication with an external command-and-control server and awaits further instructions. The malware implements a plugin-oriented architecture that permits operators to deliver modules on demand. According to CloudSEK, registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining "low-noise," and "on-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value." Reported plugin capabilities include keylogging, credential harvesting and defense evasion.

Separately, NCC Group identified an exposed link management panel at ssl3[.]space that Silver Fox used to track download activity tied to malicious installers for popular applications, including Microsoft Teams. The service hosted operational data such as web pages hosting backdoor installers, daily click counts for download buttons on phishing pages, and cumulative click totals since launch.

Researchers found that Silver Fox created fraudulent download pages impersonating at least 20 widely used communications, VPN and productivity applications. The bogus sites identified in the analysis impersonated services including CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office and Youdao.

Analysis of IP addresses that clicked the download links revealed hundreds of interactions. NCC Group reported at least 217 clicks originating from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11) and Australia (7).

"Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps," researchers Dillon Ashmore and Asher Glue said. They added that the campaigns primarily target Chinese-speaking individuals and organisations in China, with infections dating back to July 2025 and additional victims across Asia-Pacific, Europe and North America.

The disclosure aligns with reporting from ReliaQuest, which attributed some activity by the group to a false-flag operation designed to mimic a Russian threat actor. ReliaQuest said the operator used Microsoft Teams-related lure sites to complicate attribution efforts, particularly in attacks targeting organisations in China.

CloudSEK and NCC Group observations underline a sustained, multi-faceted campaign that combines SEO poisoning, phishing and malicious installers to deliver modular backdoors and maintain persistence. The use of legitimate binaries for DLL sideloading, coupled with registry-resident modules and delayed beaconing, illustrates how operators are blending technical stealth with targeted social engineering to maintain access and expand capabilities.

Security teams and infrastructure owners continue to monitor activity tied to Silver Fox, as the campaign demonstrates both geographic reach and adaptability in targeting methods.

Key Topics

Silver Fox, Valleyrat, Income Tax Phishing, Dll Hijacking, Dll Sideloading, Donut Loader, Nsis Installer, Seo Poisoning, Modular Remote Access Trojan, Registry-resident Plugins, Delayed Beaconing, Credential Harvesting, Phishing Campaign India, Backdoor Installers, Command-and-control Server