A cybercriminal group known as Silver Fox, alternatively referred to as Void Arachne, has transformed its attack methodology since early 2025. The group, originating from China, has transitioned from utilizing remote access trojans (RATs) to deploying a custom-built Python-based stealer across South Asia.
Evolution of Silver Fox’s Attack Techniques
Silver Fox has been active since 2022, initially gaining notoriety for large-scale infection campaigns. These campaigns leveraged SEO poisoning to propagate ValleyRAT, a type of modular backdoor also known as Winos. The group’s recent pivot to Python-based stealers represents an expansion both in geographical reach and technical capabilities, using sophisticated impersonation tactics to infiltrate systems.
Throughout 2025 and 2026, Silver Fox executed its operations in three distinct phases, targeting various countries in the region including Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines. The initial phase, beginning in January 2025, utilized phishing emails masquerading as communications from Taiwan’s national taxation authority, featuring malicious PDFs that directed victims to download harmful files.
Phishing Campaigns and Techniques
In the subsequent wave identified in December 2025, the group’s strategy evolved. Instead of embedding PDFs, phishing emails included links to counterfeit tax websites specific to each targeted nation. Victims downloading from these sites received archives containing a compromised Chinese Remote Monitoring and Management (RMM) tool, signed by “SyncFutureTec Company Limited.” The attackers exploited a flaw in this tool, embedding a C2 address to evade initial security measures.
By February 2026, Silver Fox introduced a Python stealer, replacing the earlier RMM tool. This stage of the operation primarily targeted Malaysia, with phishing sites crafted in Malay. The stealer was disguised as a WhatsApp backup tool, communicating with a command-and-control server at xqwmwru[.]top, and leaving traces such as a WhatsAppBackup directory and a lock file on compromised systems.
Security Implications and Recommendations
The infection sequence for the Python stealer begins when recipients of phishing emails click on embedded links, leading to sites mimicking official tax portals. Victims are then prompted to download a file that, once executed, gathers sensitive data including credentials and browser information, sending it to the C2 server. Organizations should exercise caution with unsolicited tax-related emails, especially those containing attachments or links to downloads.
Finance teams are advised to educate themselves on tactics used by attackers posing as tax officials. Security teams should block known malicious domains and monitor network traffic for unusual activity, particularly the creation of directories or files associated with WhatsAppBackup. Inspecting outbound connections to newly registered domains with atypical top-level domains can help detect and prevent data exfiltration attempts.
Stay updated on developments by following us on Google News, LinkedIn, and X, and set CSN as your preferred source on Google for more instant updates.
