Silver Fox South Asia phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Silver Fox campaign now includes BYOVD abuse of a previously unknown WatchDog Anti-malware driver, amsdk.sys (version 1.0.600), to disable security tools on compromised hosts and clear the way for ValleyRAT / Winos 4.0 deployment. Check Point said the Microsoft-signed driver was not in the Microsoft Vulnerable Driver Blocklist, and attackers preserved that signature while changing a single byte to bypass hash-based blocklists. The activity remains tied to Silver Fox’s broader 2025–2026 phishing-led operations, which also rely on fake lures, anti-analysis checks, and staged delivery chains.
Related Happenings
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
H score33
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
H score36
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Timeline
-
24.03.2026 18:00 4 articles · 3mo ago
Silver Fox phishing campaign evolves across South Asia
Campaign Scope UpdateSilver Fox ran multi-wave phishing campaigns against organizations across South Asia, starting with malicious PDF attachments impersonating national tax authorities and delivering ValleyRAT through DLL side-loading, then shifting to phishing websites hosting downloadable malware archives and remote monitoring tools, and by early 2026 to a Python-based credential stealer disguised as a WhatsApp application.
Show sources
- Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage — www.infosecurity-magazine.com — 24.03.2026 18:00
- Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage — www.infosecurity-magazine.com — 24.03.2026 18:00
- Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT — thehackernews.com — 18.10.2025 09:51
- Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware — thehackernews.com — 02.09.2025 11:39