- Silver Fox is using India-themed tax phishing to spread the modular remote-access trojan ValleyRAT.
- Attackers use decoy PDFs that download an NSIS installer which sideloads a rogue DLL and injects the RAT into a hollowed system process.
- A link-management panel tracked by NCC Group shows SEO-poisoned pages and hundreds of clicks from multiple countries, confirming campaign scale.
Silver Fox, a cybercrime group active since 2022, has targeted users in India with income tax-themed phishing that delivers the remote-access trojan ValleyRAT, researchers reported in an analysis published last week by CloudSEK. “This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” the report said.
Phishing emails include PDF decoys that point victims to the “ggwk[.]cc” domain and trigger a ZIP download named “tax affairs.zip.” The archive contains an NSIS installer (a scriptable installer system) named “tax affairs.exe” that uses a legitimate Thunder executable (thunder.exe) to sideload a malicious DLL. DLL hijacking is an attack that forces a program to load a malicious library instead of the intended one.
The dropped DLL disables the Windows Update service, performs anti-analysis checks, and acts as a conduit for a Donut loader, which is an in-memory payload loader. The chain ends when the installer injects the final ValleyRAT payload into a hollowed explorer.exe process. Process hollowing is a technique where a legitimate process is replaced in memory by malicious code.
ValleyRAT connects to attacker-controlled servers and supports on-demand modules for tasks such as keylogging and credential theft. “Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK stated.
Separately, NCC Group identified an exposed link management panel (“ssl3[.]space”) used to track download activity for fake installers. The panel logged pages Hosting backdoor installers, daily click counts, and cumulative clicks. NCC analysts noted the attackers impersonated apps such as Microsoft Teams, OpenVPN, Signal, Telegram, and others, and recorded at least 217 clicks from China, 39 from the U.S., 29 from Hong Kong, 11 from Taiwan, and 7 from Australia. “Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America,” NCC Group said.
Researchers also linked the campaign to SEO poisoning that distributed backdoored installers for at least 20 common applications, as described by NCC researchers Dillon Ashmore and Asher Glue.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
