Silver Fox South Asia phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Silver Fox campaign now includes BYOVD abuse of a previously unknown WatchDog Anti-malware driver, amsdk.sys (version 1.0.600), to disable security tools on compromised hosts and clear the way for ValleyRAT / Winos 4.0 deployment. Check Point said the Microsoft-signed driver was not in the Microsoft Vulnerable Driver Blocklist, and attackers preserved that signature while changing a single byte to bypass hash-based blocklists. The activity remains tied to Silver Fox’s broader 2025–2026 phishing-led operations, which also rely on fake lures, anti-analysis checks, and staged delivery chains.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
CypherLoc phishing-led browser scareware campaign
Campaign
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
North American cryptocurrency company hit by network compromise
Incident
First: 28.04.2026 11:00
Last: 28.04.2026 11:00
Sources 1
About this happening:
A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
North American cryptocurrency company hit by network compromise
IncidentAbout this happening: A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
Timeline
-
24.03.2026 18:00 4 articles · 2mo ago
Silver Fox phishing campaign evolves across South Asia
Campaign Scope UpdateSilver Fox ran multi-wave phishing campaigns against organizations across South Asia, starting with malicious PDF attachments impersonating national tax authorities and delivering ValleyRAT through DLL side-loading, then shifting to phishing websites hosting downloadable malware archives and remote monitoring tools, and by early 2026 to a Python-based credential stealer disguised as a WhatsApp application.
Show sources
- Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage — www.infosecurity-magazine.com — 24.03.2026 18:00
- Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage — www.infosecurity-magazine.com — 24.03.2026 18:00
- Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT — thehackernews.com — 18.10.2025 09:51
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39