“Silver Fox” Unmasked: Chinese APT Group Impersonates Indian Tax Officials in Targeted Cyber Campaign

As tax season approaches, a sophisticated cyber-espionage campaign is targeting Indian organizations with highly convincing phishing lures. While initially mistaken for a familiar adversary, a new intelligence report from CloudSEK’s TRIAD has identified the true culprit: the Silver Fox APT, a China-linked threat group now expanding its reach into the Indian subcontinent.

The campaign is notable not just for its “Income Tax” themed deception, but for the critical correction in attribution it represents.

For months, similar campaigns were attributed to SideWinder, an India-aligned threat group. However, CloudSEK’s analysis argues that this conclusion contradicted basic logic.

“Attributing this campaign to SideWinder APT (India-aligned) contradicts basic victimology and creates systemic confusion,” the report states. Why would an India-aligned group attack Indian entities with such aggression?

CloudSEK stresses that getting the name right isn’t just academic—it’s operational. “Attribution accuracy is critical to threat intelligence; it enables defenders to predict adversary behavior and deploy targeted countermeasures”.

The consequences of getting it wrong can be severe. “Misattribution from trusted sources propagates through threat feeds and detection systems, causing organizations to focus on the wrong threat while the actual adversary operates undetected”.

The attack begins with a spear-phishing email that appears to come from a legitimate entity, such as “TOPSOE India Private Limited.” Attached is a ZIP file named tax affairs.zip, containing what users believe is an urgent tax document.

“We found an interesting email uploaded from India with just an attachment called ‘TOPSOE India Private Limited’. The pdf looked like an official Income Tax Department document”.

However, the “PDF” is a decoy. The ZIP archive actually contains a malicious executable (tax affairs.exe). Once clicked, it unleashes Valley RAT, a potent remote access trojan that grants the attackers full control over the victim’s machine.

The malware doesn’t just run; it burrows deep into the system. The infection chain involves process hollowing, a technique where malicious code is injected into legitimate processes to hide from antivirus software.

According to the analysis, the attack flow moves from the initial executable to a malicious DLL (libexpat.dll) and eventually injects code into standard Windows processes like Thunder.exe and explorer.exe. This stealthy maneuver allows the Valley RAT to communicate with its command-and-control (C2) server (b.yuxuanow.top:443) without raising alarms.

The attackers have built a robust infrastructure to support their masquerade. CloudSEK identified a network of malicious domains—including itdd.club, gov-a.work, and govk.club—all hosted on the same IP addresses.

These sites are meticulously designed to fool victims. They feature favicons and titles like “Tax Notice,” “Inland Revenue,” and even the Hindi translation “कर नोटिस” to add a layer of authenticity.

By correctly pinning this activity on Silver Fox, defenders can now pivot their strategies to block the specific tactics, techniques, and procedures (TTPs) of this Chinese APT, rather than wasting resources defending against a misidentified threat.

Related Posts:

• Silver Fox APT: Chinese Threat Actor Deploys Trojanized Medical Software in Stealth Espionage Campaign
• ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
• Silver Fox APT Uses Cyrillic False Flag in Teams SEO Poisoning to Deploy ValleyRAT
• Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign