Find notable cyber news and cases, enriched with sources, timelines, and signals.

Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 2 articles

Summary

Hide ▲

Silver Fox is running a tax-themed phishing campaign that now targets India with Income Tax Department lures and delivers ValleyRAT (aka Winos 4.0). The campaign uses phishing emails, DLL hijacking, a ZIP/NSIS installer chain, and process injection into `explorer.exe` to install the malware and enable keylogging, credential harvesting, and defense evasion. The group is China-based and also uses related lure sites and installer infrastructure to track downloads and distribute ValleyRAT. The campaign matters because it shows a sustained, multi-stage delivery chain built for persistence and low-noise access.

Related Happenings

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...

WeedHack YouTube and SEO poisoning campaign targeting Minecraft players

Campaign
H score73 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Timeline

  1. 04.05.2026 14:57 3 articles · 2mo ago

    Silver Fox tax-phishing campaign delivers ABCDoor and ValleyRAT

    Initial Disclosure

    Silver Fox is linked to a tax-themed phishing campaign targeting organizations in Russia and India, using fake Income Tax Department of India notices and archive lures to deliver a modified RustSL loader, ValleyRAT (aka Winos 4.0), and the previously undocumented Python-based backdoor ABCDoor; the operation spans December 2025 to early February 2026, with more than 1,600 phishing emails flagged and the highest attack volume seen in India, Russia, and Indonesia across industrial, consulting, retail, and transportation organizations.

    Show sources