Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware

Silver Fox’s latest campaign illustrates how threat actors blend social engineering with advanced malware delivery. By masquerading as India’s Income Tax Department, the group exploits the trust placed in official communications, steering victims to a compromised domain that serves a zip archive. Inside, a Nullsoft Scriptable Install System (NSIS) installer co‑opts Thunder.exe, a legitimate download manager, and sideloads a malicious libexpat.dll. This DLL disables Windows Update, loads a Donut payload, and injects ValleyRAT into explorer.exe, achieving stealthy persistence and modular command‑and‑control capabilities.

The technical sophistication of the attack chain poses significant detection challenges. DLL sideloading and process hollowing bypass many traditional signature‑based defenses, while the use of anti‑analysis checks thwarts sandbox environments. ValleyRAT’s plugin‑oriented architecture allows operators to deploy targeted modules such as keyloggers or credential harvesters on demand, making each infection uniquely tailored. Security teams must therefore prioritize behavioral analytics, monitor for anomalous DLL loading patterns, and enforce strict application whitelisting to mitigate these evasive techniques.

Beyond the payload, Silver Fox’s broader strategy leverages SEO poisoning and a publicly exposed link‑management panel to amplify reach. By creating counterfeit download pages for popular apps like Microsoft Teams, VPN clients, and office suites, the group harvests clicks from a global audience—evidenced by hundreds of interactions from China, India, the U.S., and Europe. This underscores the importance of securing web assets, employing threat‑intel feeds to block known malicious domains, and educating users about the risks of unsolicited tax‑related attachments. Proactive threat hunting and timely patching of third‑party software remain critical defenses against such multi‑layered campaigns.