Tax Audits and WhatsApp Clones: How “Silver Fox” is Redefining Cyber-Espionage in South Asia

A new report from Sekoia’s Threat Detection & Research (TDR) team has detailed the curtain on Silver Fox (also known as Void Arachne), a China-based intrusion set that is redefining the “dual-threat” model in modern cybersecurity. While the group has been active since at least 2022, researchers have observed a dramatic shift throughout 2025 and early 2026, as the group balances sophisticated state-sponsored espionage with aggressive, profit-driven campaigns across South Asia.

Silver Fox has demonstrated remarkable agility in its tooling, transitioning through three distinct waves of attack methods to maintain a low profile and bypass modern defenses.

Starting in January 2025, the group targeted Taiwanese entities by exploiting a national tax audit window. Using highly convincing phishing emails, they delivered ValleyRAT—their primary modular backdoor—via malicious PDF attachments. This phase was marked by its strategic alignment with geopolitical tensions, as the lures mimicked official Ministry of Finance announcements.

By late 2025, the group shifted tactics to abuse a legitimate but misconfigured Chinese Remote Monitoring and Management (RMM) tool. This version of the campaign was more “geographically diverse,” expanding its reach to the Philippines, Thailand, Indonesia, Singapore, and India.

Most recently, in February 2026, Silver Fox has been seen deploying a custom Python-based stealer disguised as a WhatsApp application. This stealer is designed to collect credentials and sensitive data, facilitating secondary crimes like Business Email Compromise (BEC) and data resale.

The hallmark of Silver Fox is its reliance on “culturally relevant lures that impersonate national taxation authorities or payroll documents to gain initial access”. By inciting fear or curiosity through official-looking tax audit warnings, the group successfully entices victims to bypass their own security instincts.

As Sekoia TDR notes:

“The threat actor shifted toward a more generalised ‘financial-thematic’ approach, leveraging tax and accounting lures as a sector-agnostic baseline for maintaining a persistent initial access method”.

Silver Fox’s ability to run “broad, opportunistic campaigns alongside its more sophisticated operations” makes them a unique threat to the region. While they use “advanced backdoors like ValleyRAT” for high-value targets, they continue to conduct “opportunistic, lucrative campaigns” for financial gain.

Geographic Reach of Recent Campaigns:

• Taiwan & Mainland China (Initial Focus)
• Japan & Malaysia (Expanded Targeting)
• India, Singapore, Thailand, Philippines, & Indonesia

To counter Silver Fox, organizations in South Asia should:

• Audit RMM Tools: Monitor for the use of unauthorized or misconfigured Remote Monitoring and Management software.
• Verify Tax Communications: Train finance teams to independently verify any “urgent” audit notifications from national tax authorities.
• Monitor Python Executables: Watch for suspicious Python-compiled binaries running in user %TEMP% directories, especially those mimicking popular communication apps.