CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Silver Fox APT adapts tooling from ValleyRAT to Python credential stealer in dual-purpose campaigns

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Between late 2025 and early 2026, the Silver Fox intrusion group shifted its operational focus from traditional espionage-style malware to a hybrid model combining state-aligned intelligence collection with financially driven cybercrime. The group targeted finance teams across South and East Asia using tax and payroll-themed phishing lures, evolving delivery methods from malicious PDF attachments and DLL side-loading to SEO poisoning and malicious ads, and ultimately to a custom Python-based credential stealer disguised as a WhatsApp application. Impact includes compromised credentials and sensitive files from organizations in Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines, with evidence suggesting targeted espionage during tax audit periods and broader financially motivated theft.

Timeline

  1. 24.03.2026 18:00 1 articles · 2h ago

    Silver Fox APT evolves from ValleyRAT to Python stealer in hybrid espionage-cybercrime campaign

    Late 2025 campaigns used ValleyRAT delivered via DLL side-loading from tax-themed PDF attachments. Early 2026 campaigns pivoted to phishing websites hosting archives containing malware or legitimate remote monitoring tools. By March 2026, a custom Python-based credential stealer disguised as a WhatsApp application was observed exfiltrating credentials and sensitive files from targeted finance teams across multiple Asian regions.

    Show sources
    Open in new tab

Information Snippets

  • Silver Fox delivered ValleyRAT malware via DLL side-loading from malicious PDF attachments impersonating tax authorities.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources

  • Second campaign wave replaced direct attachments with phishing websites hosting archives that delivered malware or legitimate remote management tools.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources

  • By early 2026, Silver Fox distributed a custom Python-based credential stealer masquerading as a WhatsApp application to exfiltrate credentials and sensitive files.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources

  • Campaigns leveraged SEO poisoning and malicious ads to drive victims to phishing infrastructure.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources

  • Targeted regions included Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources

  • Evidence indicates espionage-focused activity aligned with tax audit periods in Taiwan, alongside opportunistic financially motivated operations.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources

  • Silver Fox deployed a modular toolset including ValleyRAT, HoldingHands remote access tools, and custom stealers to maintain persistent access and adapt operations.

    First reported: 24.03.2026 18:00
    1 source, 1 article
    Show sources