Silver Fox, a China-based threat group, has launched a new wave of attacks across Asia, using fake tax audit notifications and counterfeit software update alerts to deliver malware onto victim systems. The campaign relies on official-looking messages and familiar software names to deceive users, reflecting a sharper turn toward socially engineered cyberattacks.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Silver Fox Expands Beyond Earlier Targets
Silver Fox has been active since at least 2022, but the group has grown more aggressive over the past two years. What began as financially motivated attacks against users in China has evolved into a dual-purpose operation, combining espionage with profit-driven campaigns.
The group later shifted its focus to Taiwan and Japan before moving further into Southeast Asia in 2025. The targets identified in the visible report include users in Malaysia, Indonesia, Singapore, Thailand and the Philippines.
S2W analysts and researchers identified the group’s updated tactics in a threat group profile published in April 2026. The report noted that Silver Fox had significantly changed its phishing methods to align with local tax seasons and regional software habits.
Fake Tax Notices and Software Alerts Used as Lures
The campaign reportedly impersonated the National Tax Bureau to target Taiwan-based users, timing phishing emails around the local tax audit period to make them appear more convincing and urgent.
The attackers do not rely on a single method. Silver Fox builds campaigns around carefully crafted emails that resemble official tax audit notices or routine software update reminders. If a target opens the email, they may encounter a disguised shortcut file or an Office document with hidden macros, both designed to quietly trigger a malware download.
The campaign has also been observed delivering second-stage payloads from cloud storage infrastructure. This is followed by the installation of a remote management tool signed by a seemingly legitimate company, allowing attackers to maintain persistent access and extract data from inside a network.
Persistent Access and Driver-Based Evasion
The targets are no longer limited to everyday users. Silver Fox has expanded its focus to medical institutions, financial companies and corporate environments, increasing the risk for organisations that handle sensitive data daily.
The infection chain used by Silver Fox shows a sustained effort to remain hidden and maintain long-term access. After gaining initial entry through phishing, attackers deploy malware tools including ValleyRAT, AtlasCross RAT and the Catena loader. These tools help establish persistence, communicate with remote servers and move laterally within compromised networks.
One of the more concerning techniques described in the report is the Bring Your Own Vulnerable Driver method. Silver Fox loads older, legitimately signed Windows drivers with known security flaws and exploits them to disable antivirus and endpoint detection and response tools on victim machines.By operating at the kernel level, the attacks can blind standard security software and allow malware to execute without raising alerts.
Researchers also confirmed that after February 2026, the group deployed a Python-based information stealer that collected sensitive files and uploaded them to attacker-controlled servers.
The malware left traces in WhatsApp backup folders and communicated with remotely hosted upload scripts, indicating a deliberate attempt to harvest both personal and organisational data. Organisations facing the threat have been advised to strengthen email filtering, monitor spoofed domains, block vulnerable Windows drivers, ensure kernel-level EDR protection, apply application whitelisting and train employees in finance, healthcare and corporate environments to recognise phishing attempts during tax season.
