Executive Summary

The advanced persistent threat group known as Silver Fox has significantly escalated its cyber-espionage operations by expanding the deployment of the Winos 4.0 malware platform and the HoldingHands RAT to new geographies, specifically targeting organizations in Japan and Malaysia. Previously focused on China and Taiwan, Silver Fox now leverages highly sophisticated phishing campaigns, SEO poisoning, and advanced persistence and evasion techniques to compromise government, financial, and enterprise targets. The group’s latest campaigns demonstrate a marked increase in technical sophistication, including the use of custom shellcode loaders, privilege escalation via TrustedInstaller impersonation, and dynamic command-and-control (C2) infrastructure. This report provides a comprehensive technical analysis of the attack chain, the malware’s capabilities, observed tactics, techniques, and procedures (TTPs), and actionable recommendations for detection and mitigation.

Threat Actor Profile

Silver Fox (also tracked as SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne) is a Chinese-speaking cybercrime and espionage group with a history of targeting East Asian financial, governmental, and technology sectors. The group is known for its rapid adaptation of public and custom malware, including Winos 4.0 (also known as ValleyRAT) and HoldingHands RAT (a variant of Gh0st RAT). Silver Fox demonstrates a high degree of operational security, frequently rotating infrastructure and employing anti-analysis techniques. Their campaigns are characterized by the use of highly localized lures, often mimicking official government communications or popular software brands, and by the deployment of multi-stage infection chains designed to evade detection and maintain long-term persistence.

Technical Analysis of Malware/TTPs

The latest Silver Fox campaigns utilize a multi-layered infection chain, beginning with spearphishing emails or SEO-poisoned websites. Initial access is typically achieved through malicious PDF or Excel documents masquerading as Ministry of Finance communications or tax regulation drafts. These documents contain embedded links to attacker-controlled sites, such as twsww[.]xin/download[.]html, which deliver ZIP archives containing the malware payload.

Upon execution, the infection chain proceeds as follows: a malicious executable or document sideloads a custom DLL loader, which in turn loads encrypted shellcode from files such as msvchost.dat. The loader performs extensive anti-virtualization and anti-antivirus checks, terminating execution if products like Avast, Norton, or Kaspersky are detected. If the environment is deemed safe, the loader escalates privileges by enabling SeDebugPrivilege and impersonating the Winlogon process, ultimately adopting the TrustedInstaller token to bypass Windows file protection and rename system DLLs.

Persistence is established by dropping multiple files into C:\Windows\System32, including svchost.ini (containing the RVA for VirtualAlloc), TimeBrokerClient.dll (renamed as BrokerClientCallback.dll), msvchost.dat (encrypted shellcode), system.dat (encrypted payload), and wkscli.dll (unused in current campaigns). The malware leverages Windows Task Scheduler recovery mechanisms to ensure the malicious DLL is loaded by svchost.exe on reboot or crash.

The final payload, HoldingHands RAT, is decrypted and injected into memory. This remote access trojan establishes a persistent C2 channel, sending host information and periodic heartbeats every 60 seconds. It supports a wide range of attacker commands, including arbitrary code execution, file download and execution, data exfiltration (screenshots, clipboard, and system metadata), and dynamic C2 address updates via the Windows Registry. The RAT is designed to evade detection by disabling or evading endpoint security tools, terminating security processes, and remaining dormant until activated by the attacker.

The campaign also employs SEO poisoning to distribute Winos 4.0 via fake websites impersonating popular software such as Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek. These sites deliver trojanized installers that initiate the same infection chain described above.

Exploitation in the Wild

Silver Fox’s latest campaigns have been observed targeting organizations in Japan and Malaysia, in addition to ongoing operations in China and Taiwan. The group employs highly localized phishing lures, such as tax-themed documents and fake Ministry of Finance communications, to increase the likelihood of user interaction. In one notable campaign, dubbed "Operation Silk Lure," attackers targeted Chinese fintech, cryptocurrency, and trading firms using .LNK files embedded in resumes to deliver Winos 4.0. The C2 infrastructure for these campaigns is frequently rotated and has been observed hosted in the United States and other jurisdictions.

The group’s use of DLL sideloading, BYOVD (Bring Your Own Vulnerable Driver) techniques, and the public Gh0st RAT codebase (active since 2008) demonstrates a blend of custom development and adaptation of open-source tools. Recent exploits include the use of the WatchDog Anti-malware driver to disable endpoint security, further complicating detection and response efforts.

Victimology and Targeting

Silver Fox primarily targets organizations in the financial, government, and technology sectors, with a recent focus on entities in Japan and Malaysia. The group’s phishing lures are tailored to local languages and regulatory contexts, increasing their effectiveness. Victims are typically selected based on their access to sensitive financial or governmental data, with a secondary focus on organizations involved in cryptocurrency and trading platforms. The group’s operations are characterized by a high degree of selectivity and operational security, minimizing collateral infections and maximizing the value of exfiltrated data.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by Silver Fox and similar threat actors. Key recommendations include:

Continuous monitoring for the indicators of compromise (IOCs) detailed in this report, including malicious URLs such as twsww[.]xin/download[.]html, dropped files in C:\Windows\System32 (notably svchost.ini, TimeBrokerClient.dll, msvchost.dat, system.dat, and wkscli.dll), and suspicious scheduled tasks or DLL sideloading activity.

Investigation of any unauthorized privilege escalations, especially those involving SeDebugPrivilege or TrustedInstaller impersonation, and review of endpoint logs for connections to suspicious domains or evidence of C2 activity.

Ensuring all endpoint security software is up to date and monitoring for attempts to disable or uninstall antivirus products, particularly Avast, Norton, and Kaspersky.

User education and awareness training to recognize and report phishing emails, especially those purporting to be from government agencies or containing tax-related content.

Implementation of application whitelisting, least privilege principles, and regular review of scheduled tasks and system DLLs for unauthorized modifications.

Utilization of advanced endpoint detection and response (EDR) solutions capable of detecting in-memory threats, shellcode injection, and anomalous process behavior.

Engagement with threat intelligence services to receive timely updates on emerging TTPs and IOCs associated with Silver Fox and related malware families.

References

The Hacker News: Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT, Fortinet FortiGuard Labs, Check Point Research, Seqrite Labs, MITRE ATT&CK Framework, Twitter: The Hacker News, LinkedIn: Jack Devault II, CISSP.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and risk analytics empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and data.

For further information or to discuss this advisory in detail, we are happy to answer questions at ops@rescana.com.