A series of cyber campaigns linked to the Silver Fox intrusion group has revealed a shift in tactics between 2025 and 2026, combining espionage-style operations with financially motivated cybercrime.
The campaigns, observed by cybersecurity firm Sekoia, targeted organizations across South Asia using phishing lures themed around tax authorities and financial documents, according to a recent threat intelligence report.
The researchers found that the group’s operations evolved across three distinct waves, moving from advanced malware delivery to remote management tools and later to a custom Python-based credential stealer disguised as a WhatsApp application.
Campaign Evolution and Techniques
Silver Fox initially used malicious PDF attachments in phishing emails impersonating national tax authorities. These emails were designed to trick finance staff into opening documents that deployed ValleyRAT malware through DLL side-loading techniques.
Later campaigns changed tactics. Instead of sending attachments directly, attackers used phishing websites that hosted downloadable archives containing malware or remote monitoring tools.
By early 2026, the group had shifted again, distributing a Python-based stealer designed to collect credentials and sensitive files.
Key characteristics of the campaigns included:
-
Phishing emails impersonating tax authorities or payroll departments
-
Use of SEO poisoning and malicious ads to distribute malware
-
Deployment of multiple tools, including ValleyRAT, HoldingHands and custom stealers
-
Targeting organizations across Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand and the Philippines
Dual Motives: Espionage and Profit
Researchers at Sekoia believe Silver Fox operates with dual objectives. Some campaigns appeared aligned with intelligence collection, particularly those targeting Taiwanese organizations during tax audit periods. Others were broader and more consistent with profit-driven cybercrime operations.
Read more on cyber espionage: Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds
The group’s continued use of ValleyRAT alongside other tools suggests a modular approach that allows attackers to adapt quickly while maintaining long-term access to compromised systems. Meanwhile, the use of legitimate remote management software and simple credential stealers indicates ongoing financially motivated activity.
Despite changes in tools and delivery methods, the group’s core tactics remained consistent with tax and finance-themed phishing lures used as the primary entry method. These phishing messages allowed attackers to target multiple industries and sectors.
The report concluded that Silver Fox is likely maintaining both opportunistic cybercrime operations and more strategic campaigns, reflecting a broader trend where the line between cybercrime and state-linked cyber activity is increasingly blurred.
