Threat Intel - Silver Fox Evolves Phishing Tactics to Python Stealers

The Threat

Silver Fox, a China-based threat actor, has significantly evolved its phishing tactics since early 2025. Previously known for deploying remote access trojans (RATs), they have now shifted to distributing a custom Python-based stealer across South Asia. This change marks a notable escalation in their attack strategy, reflecting their adaptability and increasing sophistication. The group, also tracked as Void Arachne, has been active since at least 2022, gaining notoriety through mass infection campaigns that utilized SEO poisoning to push their malicious software.

The campaign has unfolded in three distinct waves, targeting various countries including Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines. The initial wave began in January 2025, with phishing emails impersonating Taiwan’s national taxation authority, cleverly timed to coincide with real tax announcements. This strategic timing enhanced the credibility of their attacks, making it easier for victims to fall prey to their schemes.

Who's Behind It

The Silver Fox group has shown a remarkable ability to adapt their tactics to exploit current events and societal trust in government institutions. Their phishing emails initially contained malicious PDFs that led victims to download a ZIP archive containing ValleyRAT, a modular backdoor. In December 2025, they expanded their approach by embedding links to fake tax websites, further complicating detection efforts. This evolution demonstrates their commitment to refining their methods and broadening their reach.

By February 2026, Silver Fox transitioned to using a compiled Python stealer, which disguised itself as a WhatsApp backup application. This new tactic not only reflects their technical prowess but also highlights their focus on targeting users in Malaysia, as evidenced by the phishing website's language.

Tactics & Techniques

The infection chain initiated by Silver Fox begins when a victim opens a phishing email and clicks on a link that directs them to a tax-themed website. This site mimics a trusted government portal, making it difficult for users to discern its malicious intent. Once on the site, victims are prompted to download an archive, which unpacks into a PE32+ executable. Running this file launches the Python stealer, which then gathers sensitive information such as credentials and browser data.

The collected data is compressed and sent to a command-and-control (C2) server through dedicated endpoints. The C2 infrastructure is designed to manage stolen information efficiently, allowing the threat actors to operate at scale. This structured backend is crucial for the group to maintain control over the stolen data and streamline their operations.

Defensive Measures

Organizations across South Asia must remain vigilant against unsolicited tax-related emails, particularly those with attachments or links. It is essential for finance teams to receive training on recognizing phishing attempts that impersonate government tax agencies. Security teams should proactively block known malicious domains and C2 addresses, including xqwmwru[.]top.

Implementing endpoint monitoring tools can help detect the creation of suspicious directories and files associated with the Python stealer. Additionally, inspecting outbound connections to newly registered domains can aid in identifying potential intrusions before sensitive data is exfiltrated. By staying informed and adopting these defensive measures, organizations can better protect themselves against evolving threats from groups like Silver Fox.