Executive Summary

CloudSEK’s TRIAD discovered a campaign by Silver Fox APT targeting India with Income tax themed phishing lures. The lure is visually identical to the ones discovered by other vendors, however, this campaign has not been attributed to a specific threat actor before this report.  Attribution accuracy is critical to threat intelligence; it enables defenders to predict adversary behavior and deploy targeted countermeasures. Misattribution from trusted sources propagates through threat feeds and detection systems, causing organizations to focus on the wrong threat while the actual adversary operates undetected. Attributing this campaign to SideWinder APT (India-aligned) contradicts basic victimology and creates systemic confusion. Using our report aims to highlight the sophisticated kill chain by the Chinese APT group, and explains the rationale behind CloudSEK’s attribution. 

‍Kill Chain

Initial Access Vector 

We found an interesting email uploaded from India with just an attachment called “TOPSOE India Private Limited’. The pdf looked like an official Income Tax Department document. Upon clicking on the pdf, “ggwk[.]cc” opens up on the browser and a zip file called “tax affairs.exe” is downloaded.

Technical Analysis

Stage - 1 : Tax Affairs.zip

Using static analysis we see that the given PE file is a 32 bit GUI binary. More importantly, the file is identified as a Nullsoft Scriptable Install system (NSIS) installer. NSIS installers embed their installation script, compressed payloads etc inside the binary itself and we can move ahead to analyse it as an installer driven staging payload.

The NSIS installer begins by resolving a writable temporary directory using GetTempPathA.
If the operation fails, it falls back to C:\Windows\Temp, ensuring execution reliability. Once a valid location is identified, the installer creates an NSIS specific working directory (~nsu.tmp) and switches the directory to it.

Upon analysis we found that only 2 files are of use to us, Thunder.exe and libexpat.dll. Thunder.exe is a legitimate, digitally signed executable developed by Xunlei (迅雷), commonly distributed as part of the Thunder download manager ecosystem. In this infection chain, the binary itself is not malicious but is abused as a DLL hijacking host.When executed from installer’s temporary directory, Thunder.exe loads libexpat.dll from its local path due to default DLL search order. We can confirm this in x64dbg.

‍

‍Stage - 2 : libexpat.dll

The dropped libexpat.dll does not export any meaningful functions and is never explicitly invoked by Thunder.exe.The dll relies on the windows loader functionality and calls the DLLMain. This callback is invoked unconditionally, regardless of whether the DLL exports any functions or is actively used by the host process.

Let’s take a look at the working of the DLL.

‍

The Main function begins by many anti debugging and sandbox techniques.The DLL performs process enumeration and scans the process list for common analysis and sandbox tools. Also the DLL queries for the system resources checking if minimum requirements are satisfied or not. In addition to that, if it detects any sandbox environment, it terminates the malware.

‍

Once the DLL completes its anti analysis checks, it enters the core execution logic. It first disables the Windows Update service(wuauserv) then loads an encrypted payload from the disk. The payload is dynamically resolved and loads the box.ini file from the temporary directory. The file is fully read into memory, decrypted using embedded cryptographic constants and later on executed as shellcode.

‍

The shellcode is executed using a classic technique called Process Injection.The routine begins by verifying the presence of explorer.exe, which is later used as the target process. The binary is launched in suspended state and the malware retrieves the initial thread context. Further it allocates executable memory inside the remote process via VirtualAllocEx and writes the payload via WriteProcessMemory.

The LogStatus function implements an internal logging mechanism used throughout the DLL to record execution progress and error states. The function formats a timestamped log message, appends it to a local file (C:\data.db), and applies a lightweight custom obfuscation before writing it to disk.

Stage - 3 : DonutLoader 

The injected payload can be dumped by attaching a debugger to the hollowed explorer.exe process and monitoring the memory region allocated via VirtualAllocEx. Once the payload is written using WriteProcessMemory and execution is redirected, the allocated region can be dumped directly from memory, yielding the next stage payload for analysis.

Looking through the decrypted payload we find that the final payload is a Donut generated shellcode. In this setup, Donut is used to wrap a managed payload into raw shellcode, allowing it to be executed entirely from memory without touching disk.

We can dump the Donut payload by using tools like undonut or donut-decryptor .

Stage - 4 : Valley RAT

After the Donut loader successfully injects the final payload into the hollowed explorer.exe process, Valley RAT initializes its sophisticated configuration management subsystem. It starts off by setting anti analysis procedures and then invokes a function sub_405E40() to initialize it’s configuration and later create a thread for C2 communication.

The function implements a two stage loading mechanism. It extracts 22 distinct configuration parameters through a parsing function.

Stage 1 

Command & Control Infrastructure (9 parameters):

• p1:, p2:, p3: - Three-tier C2 server addresses (correlates with b[.]yuxuanow[.]top identified in network analysis)
• o1:, o2:, o3: - Corresponding port numbers for each C2 tier
• t1:, t2:, t3: - Connection type flags (1 = HTTP/HTTPS, 0 = raw TCP socket)

Operational Parameters (5 parameters):

• dd: - Initial sleep delay (seconds) before first C2 contact 
• cl: - Callback interval (seconds) between beaconing attempts
• bb: - Build/bot version identifier (observed: 1.0)
• bz: - Backup C2 address 
• fz: - Unknown parameter

Feature Flags (8 boolean parameters):

• kl: - Keylogger (1 = enabled, 0 = disabled)
• sh: - Remote shell access (1 = enabled, 0 = disabled)
• bd: - Full backdoor mode (1 = enabled, 0 = disabled)
• dl: - Download/file transfer capability
• jp:, sx:, bh:, ll: - Additional feature toggles

Stage 2

After loading the embedded configuration, Valley RAT queries the Windows registry for updated C2 infrastructure:

If the registry value exists and exceeds 10 bytes, Valley RAT completely replaces its embedded configuration, then re-parses only the critical C2 parameters (p1 through t3). This allows Silver Fox operators to push updated C2 addresses without deploying new binaries or regaining code execution

After the configuration is loaded. Valley RAT spawns its payload thread(StartAddress) which implements a 3 tier C2 communication loop.

The communication loop implements multi-tier failover by alternating between primary (p1) and secondary (p2) C2 servers, switching to tertiary (p3) after 200 failures. It supports both HTTP/HTTPS and raw TCP protocols, uses configurable beaconing intervals (cl:) to reduce detection, and delays initial connection (dd:) to evade sandboxes.

Upon successful connection, Valley RAT sends a "ready" beacon (command ID: 4), enables keylogging if configured (kl: flag), and waits for C2 commands. This architecture maps to the discovered infrastructure: b[.]yuxuanow[.]top (103.20.195[.]147) as primary shellcode C2, with secondary/tertiary tiers rotating through domains like itdd[.]club, gov-a[.]work, and xzghjec[.]com.

Valley RAT implements a modular plugin architecture that enables dynamic capability extension through registry-based persistence. The malware stores downloaded plugins in HKCU\Console\0\d33f351a4aeea5e608853d1a56661059 a registry value name consistent with Valley RAT's established fingerprint, following the MD5 hash naming convention observed across multiple Valley RAT campaigns. The plugin manager operates in two modes: it either receives modules from the C2 server, allocates executable memory with PAGE_EXECUTE_READWRITE permissions, and persists the 2628-byte configuration plus payload code to the registry as REG_BINARY data, or it retrieves previously stored plugins from the registry, validates them against a hardcoded signature, and spawns execution threads. 

Each plugin includes a magic byte guard (0xC9) to prevent double-execution. This architecture allows Silver Fox operators to deploy specialized capabilities such as advanced keylogging, credential harvesting, or lateral movement modules on-demand to compromised systems, with automatic persistence across reboots through registry storage.

After downloading plugins from the C2 server, Valley RAT injects them into tracerpt.exe, a legitimate signed Microsoft utility, using the same process hollowing. The malware creates the process in a suspended state, injects the plugin code into its memory, and redirects execution to the malicious payload. Before injection, it patches the plugin with the same 4768-byte configuration containing C2 addresses and feature flags analyzed earlier.

Pivoting

Let’s start with the C2 embedded within the decoy document “ggwk[.]cc”.

The C2 has 2 different titles over time, all of them in-line with the Income-tax-themed phishing lure, both from the same ASN. However, there’s a common denominator - the favicon. 

We found 10+ domains that share the same favicon. If we look at the http response titles, we can see that all the titles are Income-tax-themed. The results can be validated against VT to discover additional samples from this campaign. Refer to the IOCs section below.

Diamond Model

‍

Impact

• High risk of long-term undetected compromise: Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise.
• Dynamic threat evolution post-infection: Attackers can upgrade capabilities (keylogging, credential theft, lateral movement) without taking initial access again or malware redeployment.
• Infrastructure-based blocking is brittle: Tiered C2 failover and protocol switching reduce the effectiveness of static IP/domain blocking.
• Reduced visibility for incident response: In-memory execution combined with registry-based persistence complicates timeline reconstruction and malware eradication.
• Elevated data security risk: On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value.

Recommendations

• Monitor registry abuse as a persistence layer:
  Alert on executable REG_BINARY blobs and anomalous values under non-standard paths such as HKCU\Console\*, especially those written by user processes.
• Detect multi-tier C2 logic, not just domains:
  Build detections for retry-heavy outbound connections, protocol switching (HTTP ↔ raw TCP), delayed first beacon, and repeated failures followed by fallback behavior.
• Instrument memory-permission anomalies:
  Alert on processes allocating PAGE_EXECUTE_READWRITE memory followed by thread creation, particularly inside explorer.exe.
• Hunt for signed binary + local DLL load patterns:
  Correlate execution of signed binaries from temp directories with unsigned DLL loads and immediate child thread creation.‍
• Treat RAT feature enablement as an alerting signal: Monitor sudden activation of keylogging APIs, interactive shell behavior, or file transfer operations within long-running, previously quiet processes.

Appendix

IOCs

‍

‍Silver Fox Infrastructure Found After Pivoting

‍

‍MITRE Mapping

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://x.com/malwrhunterteam/status/2002002468612280755
• https://archive.ph/TJFVy
• Valley RAT
• https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/ 

‍

‍