Silver Fox APT Exploits India’s Income Tax Trust to Deploy Sophisticated, Stealthy Cyber Campaign

Silver Fox APT Exploits India’s Income Tax Trust to Deploy Sophisticated, Stealthy Cyber Campaign

Look. This isn’t some random hack. This is a carefully choreographed attack—one that starts with something that looks official. A PDF. Labeled “TOPSOE India Private Limited”. You’d think it’s just a routine tax document from the Income Tax Department. But it’s not. It’s bait.

And it’s working.

The email comes from India. The design? Real. The font? Matches official government templates. The language? Flawless. Small and medium businesses—especially those that rely on government forms for compliance—don’t question it. They open it. And that’s exactly what the attackers want.

When the file opens, it redirects you to ggwk[.]cc. A simple-looking link. But behind it? A ZIP file called tax affairs.exe. At first glance, it looks harmless. It’s a 32-bit installer, built with NSIS—something you see all the time in legitimate software. You’d trust it. You’d click it.

But here’s where it goes sideways.

After the installer runs, it creates a temporary folder and drops two files: Thunder.exe and libexpat.dll. Thunder.exe? That’s not suspicious. It’s a download manager from Xunlei. Digitally signed. Trusted. Used by millions. It’s the kind of tool you’d install on your own PC for file transfers.

So why is that a problem?

Because the attacker uses it as a front. And libexpat.dll is the real weapon. It’s not a real DLL. It’s a hollow shell. It doesn’t do anything useful on its own. But when Thunder.exe starts up, Windows automatically looks for libexpat.dll in the local directory. And it finds it. So it loads it.

That’s the trick. The moment it loads, the DLL runs a quick check: Is this in a sandbox? Is it running in a virtual machine? Is there any sign of analysis? If yes—boom. It kills the process. No trace. No log. Gone.

If it passes, then it does something else. It decrypts a file—box.ini—using a key embedded in the code. And once decrypted, it runs it as shellcode. Classic process injection. It targets explorer.exe, suspends it, allocates memory, and injects the code directly into its process space.

That’s called process hollowing. And it’s brutal. Because now, the system thinks it’s just running a normal Windows app. But it’s not. The malware is living inside a trusted process. No files on disk. No obvious signs. Just a quiet, invisible presence.

Now, what’s inside that shellcode?

It’s a Donut-generated payload. That’s a technique used to wrap managed code into raw, executable shellcode. It runs entirely in memory. No disk footprint. No file traces. If you’re relying on file-based detection, you’re blind. You’re not even looking in the right place.

Once the shellcode runs, the malware launches a Valley RAT—Remote Access Trojan. It sets up a command and control (C2) network with three layers.

Stage 1: Nine parameters. C2 server addresses (p1–p3), ports (o1–o3), and connection types—HTTP, HTTPS, or raw TCP.
Stage 2: Operational settings. How long to wait before sending a signal (initial delay), how often to check in (beaconing interval), and which features to enable—like keylogging or shell access.
Stage 3: Dynamic updates. If a registry value exists and is over 10 bytes, the configuration gets overwritten. No recompiling. No redeploying. The attackers just push a new C2 address. The malware updates itself on the fly.

That’s not static. That’s evolution. And it’s happening in real time.

Now, the C2 isn’t sitting on one server. It’s spread across a network. b[.]yuxuanow[.]top is the main one—IP: 103.20.195.147. But there’s backup. itdd[.]club, gov-a[.]work, xzghjec[.]com. All sharing the same IP ranges. Same favicon. Same look. It’s like they’ve built a whole underground network just to survive blockages.

And it’s not just about having multiple domains. It’s about protocol flexibility. The malware tries HTTP first. If that fails, it switches to HTTPS. If that fails, it drops to raw TCP. After 200 failed attempts, it rotates through the tiers. If one server is down, it just moves on. No warning. No pause.

You can’t block it with a firewall rule. Not really. Because the traffic is encrypted, and the attack doesn’t leave a file trail. Even if you see the traffic, you don’t know what’s being sent. It’s all hidden in memory.

Now—here’s where things get messy.

Some early reports said this was SideWinder. An India-aligned APT. A group that’s been linked to Indian cyber operations. But that doesn’t hold up.

Why? The tools used? Chinese. Donut. NSIS-based payloads. The C2 infrastructure? Hosted in Chinese IP ranges. The techniques? Process hollowing, in-memory execution—hallmarks of Chinese APTs, not Indian ones.

So why the confusion? Because threat intelligence feeds move fast. Automated systems jump to conclusions. They match patterns, not context. And once a false attribution spreads, it becomes a signal. Defenders react. They deploy tools. They block IPs. They waste time on the wrong target.

That’s a real problem. Because when you respond to a misattributed threat, you’re not stopping the real one. You’re just delaying it.

The reality is, this attack isn’t just about data. It’s about trust. The attackers are exploiting the very things we rely on—government documents, trusted software, familiar processes. They don’t need to break through firewalls. They just need a single click.

And that’s where small businesses are most at risk. They don’t have advanced tools. They don’t run EDR. They don’t monitor for DLL loads from temporary folders. They don’t check registry entries under *HKCU\Console* with REG_BINARY values.

So what should you be watching for?

Unusual DLLs loading from temporary directories.
Suspicious process injection into legit binaries like explorer.exe.
Registry entries under *HKCU\Console* with REG_BINARY values.
Delayed beaconing.
Multi-tier C2 failover patterns.

These aren’t just technical details. They’re red flags. And if you start seeing them, you’ve got a problem.

This isn’t just a case of bad phishing. It’s a blueprint. A sophisticated, stealthy campaign that uses trust, deception, and technical finesse to slip in and stay hidden.

And if you’re in India—especially if you’re a small or mid-sized business—don’t assume you’re safe just because the email looked official. That’s exactly how they get in.

So ask yourself: what if the next “tax notice” you get is a trap? What if the file you open is already inside your system before you even realize it?

That’s not a hypothetical. That’s what’s happening right now.