Silver Fox Malware Uses Fake Tax Audits & Campaign Alerts

The China-based threat group Silver Fox has launched a new wave of cyberattacks, targeting businesses and individuals across Asia. These operations leverage fake tax audit notifications and counterfeit software update alerts to install dangerous malware on victim systems.

The campaign reflects a sharp rise in socially engineered attacks that exploit the trust people place in official-looking messages and familiar software names.

Silver Fox has been active since at least 2022, but the group has grown far more aggressive over the past two years.

What started as financially motivated attacks against users in China has now expanded into a dual-purpose operation, running both espionage and profit-driven campaigns at the same time.

The group gradually shifted its focus to Taiwan and Japan before pushing further into Southeast Asia in 2025, targeting users in Malaysia, Indonesia, Singapore, Thailand, and the Philippines. 

S2W analysts and researchers identified the group’s updated tactics in a detailed threat group profile published in April 2026, noting that Silver Fox had significantly evolved its phishing methods to match local tax seasons and regional software habits.

The report highlighted how the group impersonated the National Tax Bureau to target Taiwan-based users, timing its phishing emails to coincide with the local tax audit period to make them appear more convincing and urgent.

The attackers do not rely on just one trick. Silver Fox builds its campaigns around carefully crafted emails that look like official tax audit notices or routine software update reminders.

If a target opens the email, they may encounter a disguised shortcut file or an Office document with hidden macros, both designed to quietly trigger a malware download without the user realizing it.

The campaign has also been observed delivering second-stage payloads from cloud storage infrastructure, followed by the installation of a remote management tool signed by a seemingly legitimate company, allowing the attackers to maintain persistent access and pull data from inside the network.

The targets are no longer limited to everyday users. Silver Fox has expanded its focus to medical institutions, financial companies, and corporate environments, making this a serious threat for organizations that handle sensitive data on a daily basis.

Infection Chain and Persistence Tactics

The full infection chain used by Silver Fox reveals how much effort the group puts into staying hidden and maintaining long-term access.

After gaining initial entry through phishing, the attackers deploy a range of malware tools including ValleyRAT, AtlasCross RAT, and the Catena loader.

These tools work together to establish persistence, communicate with remote servers, and move laterally within the compromised network.

One of the most concerning techniques used by the group is the Bring Your Own Vulnerable Driver (BYOVD) method.

Silver Fox loads older, legitimately signed Windows drivers that contain known security flaws, then exploits those flaws to disable antivirus and endpoint detection and response (EDR) tools running on the victim machine.

By operating at the kernel level, these attacks effectively blind standard security software, allowing the malware to execute without raising any alerts.

This approach reflects deep technical capability and shows the group operates with clear planning and intention.

After February 2026, researchers also confirmed that the group deployed a Python-based information stealer that collected sensitive files and uploaded them to attacker-controlled servers.

The malware left traces in WhatsApp backup folders and communicated with remotely hosted upload scripts, pointing to a focused and deliberate effort to harvest both personal and organizational data.

Organizations facing this threat are strongly advised to tighten controls around email filtering and domain monitoring to catch spoofed addresses early.

Security teams should enforce policies that block vulnerable Windows drivers from loading, while ensuring EDR tools carry kernel-level protections.

Applying application whitelisting helps limit which programs can run on endpoints. Employees in finance, healthcare, and corporate environments should undergo regular phishing awareness training, particularly during tax season when these attacks tend to spike.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.