Tax Audit Phishing Campaign Tied to Silver Fox Shifts From RATs to Python Stealers

Since early 2025, a China-based hacker group called Silver Fox, also known as Void Arachne, has changed the way it attacks a lot This article explores asia careful emails. . The campaign happened in three waves from 2025 to 2026 and affected groups in Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines.

The group first got attention by using SEO poisoning to spread ValleyRAT, a modular backdoor also known as Winos, through mass infection campaigns. This most recent change shows how Silver Fox has steadily expanded its geographic reach and toolkit. They did this by using convincing tax authority impersonation lures to get in at first. Companies in South Asia should be careful with emails that they didn't ask for that are about taxes, especially those that have attachments or links to file downloads.

Security teams should block known bad domains and C2 addresses, like xqwmwru[. ]top and the IPv4 addresses of the RMM tool that were shared in the threat intelligence report. Tools for monitoring endpoints should notify you when WhatsAppBackup directories and the whatsapp_backup.lock file are made.

Checking outbound connections to newly registered domains with uncommon TLDs can help find similar intrusions before data leaves the network. Visit ZeroOwl's security blog, The ZeroOwl Security Blog, or follow us on Twitter at @ZeroOwlSecurity and on Facebook at www.Facebook.com/TheZeroOwl for more information. To get private help, call the Samaritans at 08457 90 90 90 or go to a nearby Samaritans branch. For more information, go to www.samaritans.org.

In the U.S., you can get help by calling the National Suicide Prevention Lifeline at 1-800-273-8255 or going to http://www.suicidepreventionlifeline.org/.

If you need help in the UK, call The Samaritans at 08457 909090 or click here.