John
Something strange showed up in Taiwan. FortiGuard Labs spotted it – phishing aimed at local groups by a crew called Silver Fox. Not random hits; these were carefully picked.
They relied on sneaky moves: slipping fake DLLs into apps and loading their own weak drivers. That opened doors. Through them crept Winos 4.0 – the same thing some call ValleyRat.
The bait? Files that looked like taxes or digital receipts. Click one, and Windows started doing things it should not.
Out of nowhere, tax-themed emails start showing up across Taiwan, quietly linked to a hacking crew called Silver Fox APT. This team, believed to work with Chinese interests, doesn’t shout – it slips in through clever invoice lures that feel real enough to fool locals.
Instead of crashing systems quickly, it moves slowly and targets only Windows machines with precision. Once inside, files get locked down tight while stolen info fuels deeper attacks later on.
Even when caught, its tools hide well by reaching deep into system kernels, making removal tough. High risk remains simply because it adapts faster than defenses can keep up.
For over sixty days, FortiGuard tracked these attacks, shifting through changing domains and cloud servers to avoid detection. This approach overwhelms fixed security layers.
The payloads arrive via LNK shortcuts and hidden DLL execution, while attackers bring their own vulnerable drivers, such as wsftprm.sys, to gain control.
Campaign One LNK in Tax RAR
A file named taxIs_RX3001.rar arrives as paperwork but contains a harmful shortcut. Instead of opening anything real, that link triggers cmd.exe through System32 using scrambled settings. A hidden spot appears under %public%\501 where activity begins quietly.
Into this space, curl.exe, renamed to url.exe, drops without notice. From there, data streams down – Setup64.exe fetched straight from bqdrzbyq.cn. Behind the scenes, every piece connects just enough to stay unseen.
Hidden from name-scanning, it uses DeviceCredentialDeployment.exe as a mask. Running through Setup64.exe, a hidden code lands in C:\ProgramData\Golden – quiet steps toward ValleyRat, readying driver execution. Files settle there, tucked away, building access point by point.
Campaign Two Exploits DLL Loading Behavior
Fake emails pretend to be government papers, attaching links such as taxfnat.tw – these lead to Chinese cloud storage holding RAR files. One case had E-Invoice.rar pulled from volces.com servers. Instead of using LNK files, attackers now hide DLLs inside compressed folders. Normal programs then load those hidden parts without warning.
PDB in DLL shows “大馬專案(二)” project name, linking to other ops. Same driver load and C2 as the first wave, but some C2 moved to 154.91.64.246. Evolution points to ongoing tweaks.
Payload Deep Dive
Starting with Winos 4.0, the focus is on admin access levels. When those are too weak, a workaround kicks in: BypassUACViaDebugObject runs through computerdefaults.exe via RPC channels. Hidden layers emerge: Base64 wraps around driver activity and any antivirus paths it targets.
A Topaz driver named wsftprm.sys, version 2.0.0.0, carries a valid signature. Through BYOVD, it gets loaded into the system. Instead of calling standard functions, it pulls routines such as NtLoadDriver straight from ntdll.
Depending on what it finds in the registry under VulnerableDriverBlocklistEnable, one route is taken over another. Messages pop up in error form using GBK-encoded Chinese text.
Kernel access lets it kill AVs like 360, Defender, Trend Micro, etc.; full list hardcoded, double Base64. C2 at 47.76.86.151 (Base64: TkRjdU56WXVPRFl1TVRVeA==). Downloads 上线模块.dll, then registry-stored plugins: file manage, screens, system control.
Fresh start each time – plugins live only in memory, never touching storage.
Attribution Clues
Last time we saw that name linked to gongluliu@zju.edu.cn. Desktop-t3n3m3q popped up during the 2025 Silver Fox sweeps. One shared driver points to repeated misuse, and the same network traces back to a smaller cluster. Matching tools and setup suggest coordinated moves.
Since 2025, Silver Fox has struck Taiwan using updated forms of ValleyRat. These versions trace back to older Gh0st RAT tools. Focused on Asian regions, attacks arrive with region-specific bait. Messages often mimic local context to blend in.
Activity shows a pattern of slow, careful infiltration. Most attempts slip through under familiar-looking emails. Not all efforts succeed, yet some gain early access. Cyber defenses now watch for these tailored approaches. Each wave brings slight tweaks to avoid detection. Over time, methods grow harder to spot.
| Type | Value |
|---|---|
| Domain | bqdrzbyq[.]cn |
| Domain | taxfnat[.]tw |
| Domain | njhwuyklw[.]com |
| Domain | twtaxgo[.]cn |
| Domain | taxhub[.]tw |
| Domain | taukeny[.]com |
| Domain | taxpro[.]tw |
| Domain | lmaxjuyh[.]cn |
| Domain | tkooyvff[.]cn |
| Domain | etaxtw[.]cn |
| Domain | twswsb[.]cn |
| IP | 47[.]76[.]86[.]151 |
| URL | hxxps://twmoi2002.tos-cn-shanghai.volces[.]com/E-Invoice.rar |
| URL | hxxps://sdfw2026024.tos-cn-shanghai.volces[.]com/E-Invoice.rar |
| URL | hxxps://twtaxgo[.]cn/uploads/20260129/taxIs_RX3001.7z |
| SHA256 | 64ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a (Setup.exe) |
| SHA256 | 156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe (AISafeSDK64.dll) |
Defenses and Mitigations
Something moves – Fortinet tags it as W64/Agent.ATW!tr using antivirus across Gate, Mail, Client, and EDR layers. Phishing slips through less often now that FortiMail spots the fakes early, and suspicious files land in the Sandbox, where behavior is closely monitored.
Documents get rebuilt by CDR, so hidden risks die before they start. Sensors talk back, feeding threat details that cut off command-and-control traffic at known bad IPs.
Start by blocking known threat indicators. Phishing exercises help teams spot bad messages more easily. Watch out for custom drivers brought in from outside.
Look at system settings, active jobs, and odd network traffic. Trust nothing by default, split networks into zones. Keep Microsoft security filters current.
FAQ
A shadow moves through digital corners, tied to China, reaching across Asian networks. This crew called Silver Fox slips malicious tools – ValleyRat among them – into hidden traps online. Instead of bold attacks, they weave quiet lures that hook users by mistake. Their path? Phishing trails laid carefully where victims walk daily. Not loud explosions but slow leaks define their rhythm. Behind each fake link, control spreads one compromised machine at a time.
Malicious messages arrive hiding RAR files or fake tax invoice links. These sneak in LNK scripts instead of clean documents. Sometimes a DLL payload slips through after the click. Files act innocent but trigger hidden downloads. The installer runs quiet, leaving backdoors behind. Attackers wait, watching for login attempts later. Each step moves slow, avoiding alarms. Nothing flashes warnings until it is too late.
Slips past UAC, then drops a custom driver to disable antivirus. Communication happens through command servers that support tools – capturing screens, pulling files. A hidden channel runs the extras, one after another, without alerts. Each piece connects silently, moving only when triggered.
A strange command line activity shows up alongside files dropped in shared directories. Meanwhile, communication reaches out to the IP address 47.76.86.151 without warning. Security tools suddenly stop working around the same time. Signs point toward active interference behind the scenes.
Few steps help reduce email threats. Blocking known bad addresses stops some attacks early. Malicious indicators get blocked before harm occurs. Certain drivers are denied automatically now. Staff learn to spot suspicious messages through practice. Tools that watch endpoints catch odd behavior fast.
Site: thecybrdef.com
Reference: Source
