A sophisticated, China-based threat actor, identified as Silver Fox and also known as Void Arachne, has undergone a significant operational shift since early 2025. The group has transitioned its primary modus operandi from distributing remote access trojans (RATs) to deploying a custom-developed Python-based stealer. This evolution leverages increasingly convincing phishing tactics, impersonating tax authorities to target entities across various South Asian nations, according to recent cybersecurity analysis.
Active since at least 2022, Silver Fox initially gained notoriety for broad malware distribution campaigns facilitated by SEO poisoning, often pushing a modular backdoor known as ValleyRAT. This latest strategic adaptation demonstrates a deliberate expansion in both its geographical reach and its arsenal of cyber tools, while maintaining a consistent, effective lure centered on tax-related activities.
Silver Fox Python Stealer Shifts Attack Vector Across South Asia
The observed campaign has unfolded in three distinct waves, spanning from early 2025 to early 2026, impacting organizations in Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand, and the Philippines. This broad geographical footprint highlights the actor’s intent to maximize its potential victim pool.
The initial wave commenced in January 2025, with Silver Fox employees dispatching phishing emails designed to mimic communications from Taiwan’s national taxation authority. These emails contained a malicious PDF document. Upon opening the PDF, a hidden annotation would prompt the victim to download a ZIP archive. This archive contained two files, identified as `python311.dll` and an executable, which together were used to side-load the ValleyRAT backdoor onto the targeted system.
This particular campaign was strategically timed to coincide with actual announcements made by Taiwan’s Ministry of Finance regarding tax audit selections for the 113th fiscal year, thereby enhancing the credibility of the phishing lures presented to potential victims.
Analysts from Sekoia observed a second wave in mid-December 2025, where the threat actor expanded its targeting scope and modified its delivery mechanism. Instead of embedding malicious files directly within email attachments, these phishing emails now directed recipients to a fake tax website specifically customized for the victim’s country. Downloading from this fraudulent site would yield an archive containing a legitimate, albeit misconfigured, Chinese Remote Monitoring and Management (RMM) tool, digitally signed by “SyncFutureTec Company Limited.”
Silver Fox exploited a vulnerability in the RMM tool’s configuration by embedding the command and control (C2) server address directly into the filename, following the pattern `[IPv4]ClientSetup.exe`. This technique allowed the executable to retain its valid digital signature, circumventing immediate security detection mechanisms.
By February 2026, Silver Fox had further refined its approach, substituting the RMM tool with a custom-compiled Python stealer, marking the third distinct wave of the campaign. The phishing website in this phase was written in Malay, suggesting Malaysia as a primary target at this specific juncture. The stealer malware was designed to operate stealthily, disguised as a WhatsApp backup application, utilizing the User-Agent `WhatsAppBackup/1.0` for its communications with a C2 server located at `xqwmwru[.]top`.
Upon successful infection, the stealer would establish its presence on the compromised machine by creating a file named `C:WhatsAppBackupWhatsAppData.zip` and a lock file within the system’s temporary directory (`%TEMP%`). The C2 infrastructure was configured to closely resemble a legitimate WhatsApp web server, further enhancing its deceptive capabilities.
Python Stealer Infection Chain and Data Exfiltration Details
The infection chain for the Python stealer commences when a victim interacts with a phishing email and clicks on an embedded link. This action redirects the user to a deceptive tax-themed website specifically crafted to mirror the appearance of a trusted government portal.
Subsequently, the victim is prompted to download an archive, typically in ZIP or RAR format. Upon extraction, this archive yields a single Portable Executable (PE32+) file. The execution of this file initiates the stealer malware, which disguises its malicious activity as a WhatsApp backup utility.
Once active, the stealer systematically collects sensitive information from the infected device, including user credentials, browser data, stored files, and other critical personal and organizational information. The gathered data is then compressed and transmitted to the attacker’s C2 server via two designated endpoints: `https://xqwmwru[.]top/upload_large.php` for the exfiltration of stolen data, and `https://xqwmwru[.]top/upload_status.php` to confirm the successful transfer of information. The C2 panel itself is designed as a structured backend system, facilitating the management of stolen data from multiple victims on a large scale.
Organizations operating in South Asia are strongly advised to exercise extreme caution and skepticism towards unsolicited emails pertaining to tax matters, especially those that include attachments or links for file downloads. Finance departments should proactively implement comprehensive training programs to educate employees on sophisticated phishing tactics that impersonate governmental tax agencies.
Furthermore, cybersecurity teams should prioritize the blocking of known malicious domains and C2 addresses, including the identified `xqwmwru[.]top`. Mitigation efforts should also extend to the IPv4 addresses associated with the RMM tool, as detailed in relevant threat intelligence reports. Implementing endpoint monitoring tools that generate alerts for the creation of `WhatsAppBackup` directories and the `whatsapp_backup.lock` file can serve as critical host-based indicators of compromise. Continuous inspection of outbound network connections to newly registered domains, particularly those utilizing uncommon top-level domains (TLDs), can be instrumental in detecting similar intrusions before data is exfiltrated from the network.