BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Silver Fox uses tax-themed phishing to deliver ValleyRAT now

Silver Fox deploys India tax-themed phishing to deliver ValleyRAT via NSIS installer, DLL hijacking and process hollowing; SEO-poisoned pages and an exposed link panel reveal hundreds of global clicks

  • Silver Fox is using India-themed tax phishing to spread the modular remote-access trojan ValleyRAT.
  • Attackers use decoy PDFs that download an NSIS installer which sideloads a rogue DLL and injects the RAT into a hollowed system process.
  • A link-management panel tracked by NCC Group shows SEO-poisoned pages and hundreds of clicks from multiple countries, confirming campaign scale.

Silver Fox, a cybercrime group active since 2022, has targeted users in India with income tax-themed phishing that delivers the remote-access trojan ValleyRAT, researchers reported in an analysis published last week by CloudSEK. “This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” the report said.

- Advertisement -

Phishing emails include PDF decoys that point victims to the “ggwk[.]cc” domain and trigger a ZIP download named “tax affairs.zip.” The archive contains an NSIS installer (a scriptable installer system) named “tax affairs.exe” that uses a legitimate Thunder executable (thunder.exe) to sideload a malicious DLL. DLL hijacking is an attack that forces a program to load a malicious library instead of the intended one.

The dropped DLL disables the Windows Update service, performs anti-analysis checks, and acts as a conduit for a Donut loader, which is an in-memory payload loader. The chain ends when the installer injects the final ValleyRAT payload into a hollowed explorer.exe process. Process hollowing is a technique where a legitimate process is replaced in memory by malicious code.

ValleyRAT connects to attacker-controlled servers and supports on-demand modules for tasks such as keylogging and credential theft. “Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK stated.

Separately, NCC Group identified an exposed link management panel (“ssl3[.]space”) used to track download activity for fake installers. The panel logged pages Hosting backdoor installers, daily click counts, and cumulative clicks. NCC analysts noted the attackers impersonated apps such as Microsoft Teams, OpenVPN, Signal, Telegram, and others, and recorded at least 217 clicks from China, 39 from the U.S., 29 from Hong Kong, 11 from Taiwan, and 7 from Australia. “Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America,” NCC Group said.

- Advertisement -

Researchers also linked the campaign to SEO poisoning that distributed backdoored installers for at least 20 common applications, as described by NCC researchers Dillon Ashmore and Asher Glue.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

IMF: Dollar stablecoins may amplify currency runs in fixed-rate economies

An IMF working paper by economist Brandon Joel Tan models how dollar stablecoins improve...

Japan Plans to Legalize Cryptocurrency ETFs, Minister Says

Japanese Finance Minister Satsuki Katayama announced plans to legalize cryptocurrency ETFs.ETFs let investors gain...

Robinhood enables AI agents for crypto trades in US

Robinhood will allow eligible US crypto traders to connect third-party AI agents for autonomous...

Musk directs Tesla to adopt Grok 4.5 for lower token costs

Elon Musk directed Tesla staff to adopt xAI's Grok 4.5, citing lower token costs...

Bitcoin Surges to $65K Amid Multiple Bullish Catalysts

Bitcoin rallied above $64,600 on July 10, climbing more than 15% from its July...

Must Read

12 Hosting Providers To Buy VPS With Bitcoin: An Expert Guide for 2026

You need a VPS. You want to pay with Bitcoin. Simple enough, right?Not quite. The market for crypto VPS = VPS hosting that accepts...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading