August 05, 2025 3 Minute Read

• Trustwave SpiderLabs’ latest research details the advanced persistent threat (APT) campaigns conducted by Silver Fox group, a significant and evolving threat actor.
• The likely China-based threat group primarily targets Chinese-speaking organizations.
• Trustwave SpiderLabs examines the tools, techniques, and procedures (TTPs) of the Silver Fox APT, highlighting their espionage, data theft, and financial gain motives.

This blog is the latest in a series that delves into the deep research conducted daily by the Trustwave SpiderLabs team on major threat actor groups currently operating globally.

The Silver Fox threat actor group, also associated with attacks attributed to Void Arachne and Great Thief of the Valley, is a relatively new, most likely China-based threat group that has emerged as a significant player in advanced persistent threat (APT) campaigns.

Silver Fox's Timeline and Targets

This adversary generally operates alone without any associated groups, primarily targets Chinese-speaking users and Taiwanese organizations, but has been known to strike outside the Pacific region.

Active since at least 2023, Silver Fox is known for using a variety of methods to gain initial access and then implement multi-stage malware campaigns, deploying remote access trojans (RATs) like ValleyRAT and Winos 4.0 to infiltrate networks for espionage, data theft, and financial gain.

The group often masquerades as cybercriminals but at the same time exhibits APT-like characteristics by targeting governmental institutions, healthcare, education, gaming, and cybersecurity sectors, suggesting possible state sponsorship or operation.

The motives behind these attacks are often:

• Espionage, corporate, and government
• Strategic intelligence collection
• Financial gain – Theft of financial information and personal data
• Cryptocurrency mining
• Operational disruption

To obtain this information, the group goes after a specific set of assets, such as:

• Access to financial systems, payment credentials, and transactional data
• Customer databases or business deal information
• Sensitive financial or personal data
• Sensitive proprietary information (e.g., technology) theft
• State/government secrets

Some of the group’s most recent activity has centered on Taiwanese targets where it leveraged fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit.

Silver Fox’s Tools and Techniques

The group's tools, techniques, and procedures demonstrate its adaptability. SpiderLabs has tracked Silver Fox as it has evolved from conducting broad, opportunistic attacks to targeted operations, particularly against Taiwan, reflecting geopolitical motivations.

Its use of advanced evasion techniques, like disabling antivirus with vulnerable drivers (e.g., TrueSight2), VMProtect obfuscation, and language-specific targeting, underscores its technical sophistication.

While the group’s focus on Chinese-speaking regions and sectors like healthcare suggests a strategic agenda, the overlap with Void Arachne and the use of cryptominers raise questions about whether financial motives or state directives drive their operations.

Initial Access

Silver Fox employs social engineering tactics for initial access across a variety of platforms, including those that fall under MITRE ATT&CK T1566.001:

• Phishing emails that impersonate official entities (e.g., Taiwan’s National Taxation Bureau) and that contain malicious attachments (PDF, Excel, Word, Zip files) and links).
• Search engine optimization (SEO) poisoning to distribute trojanized software via a malicious MSI.
• Telegram channels to share lures like fake AI tools, VPNs, and gaming apps.
• Compromise legitimate (e.g., DICOM Viewer/ EmEditor) or fake software, such as gaming apps.

Silver Fox’s initial execution methods include DLL sideloading, process injection, and in-memory execution. To handle these tasks, it often uses tools like the Nidhogg rootkit and anti-sandbox techniques to evade detection.

Persistence and privilege escalation (MITRE ATT&CK TA0003) is established through registry modifications and scheduled tasks, while its command-and-control (C2) infrastructure leverages HTTP File Server (HFS) for ValleyRAT and TCP-based communication for Winos 4.0, with encrypted data transfers to avoid interception.

Gathering Data

Once ensconced inside a target, the group uses a variety of methods to obtain data.

• The threat actor may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to exfiltration (T1005).
• The threat actor may stage collected data in a central location or directory prior to exfiltration (T1074).
• Threat actor may use methods of capturing user input (keylogging) to obtain credentials or collect information (T1417).
• Screen captures of the desktop to gather information over the course of an operation are also used (T1113).

Trustwave SpiderLabs will continue to track Silver Fox as the group continues to operate at the intersection of cybercrime and cyber espionage.

The group’s evolving toolset, use of social engineering and advanced malware, and focus on geopolitical targets, particularly in the Chinese-speaking and Taiwanese regions, underscore the strategic intent behind its campaigns.

As with many advanced persistent threats, Silver Fox blurs the lines between financially motivated crime and state-sponsored activity, making attribution and defense all the more challenging. Trustwave SpiderLabs will continue to monitor Silver Fox’s movements closely and provide timely intelligence to help organizations stay ahead of this persistent adversary.

Please consider reading Trustwave SpiderLabs other threat group investigations.

• Placing Threat Groups Under a Microscope: Lapsus$
• Analyzing Latrodectus: The New Face of Malware Loaders
• Inside APT34 (OilRig): Tools, Techniques, and Global Cyber Threats