Silver Fox Targets India with Tax-Themed Phishing Lures

Ruslan Mikhalov Chief of Threat Research at SOC Prime

Silver Fox Targets India with Tax-Themed Phishing Lures

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A Chinese APT group called Silver Fox conducts a tax‑themed phishing campaign against Indian entities. The initial email contains a PDF that directs victims to a malicious domain and triggers a download of a ZIP file. The ZIP contains an NSIS installer that drops Thunder.exe and a malicious libexpat.dll which performs DLL hijacking, anti‑analysis checks, and loads encrypted shellcode. The final payload is a Valley RAT that receives configuration from a multi‑tier C2 infrastructure.

Investigation

The report details four stages: (1) delivery of a ZIP via a PDF lure, (2) execution of an NSIS installer that drops Thunder.exe and libexpat.dll, (3) a Donut‑generated shellcode loader that injects into explorer.exe, and (4) deployment of Valley RAT with registry‑based persistence and modular plugins. The analysis includes static and dynamic examination of the binaries, enumeration of C2 domains, and mapping to ATT&CK techniques.

Mitigation

Defenders should monitor for signed binaries loading unsigned DLLs from temporary locations, registry writes under HKCUConsole, and abnormal creation of PAGE_EXECUTE_READWRITE memory in explorer.exe. Blocking known C2 domains and IPs, and detecting multi‑tier fallback behavior will reduce exposure. Implement strict application control and sandbox evasion detection to stop the initial NSIS installer.

Response

When an indicator is observed, isolate the affected host, collect volatile memory for process injection analysis, and search for Valley RAT registry keys and plugins. Block all identified C2 infrastructure and reset compromised credentials. Conduct a full forensic review to identify any additional plugins or lateral movement tools.

"graph TB %% Class definitions classDef technique fill:#ddeeff classDef file fill:#ffddaa classDef process fill:#ffccbb classDef action fill:#cce5ff %% Nodes u2013 Techniques initial_phishing["Initial Access – T1566.001 Spearphishing Attachment Victim opens malicious Incomeu2011Tax PDF that redirects to ggwk.cc and triggers a ZIP download"] class initial_phishing technique user_execution["User Execution – T1204.002 Malicious File User runs the downloaded ZIP containing an NSIS installer"] class user_execution technique cmd_scripting["Execution – T1059 Command and Scripting Interpreter NSIS script drives the installation workflow"] class cmd_scripting technique native_api_1["Execution – T1106 Native API Installer calls GetTempPathA, creates a temporary working directory and writes files"] class native_api_1 technique shared_modules["Execution – T1129 Shared Modules Installer drops Thunder.exe (signed) and malicious libexpat.dll"] class shared_modules technique dll_hijack["Defense Evasion – T1574.001 DLL Search Order Hijacking libexpat.dll placed beside Thunder.exe so it is loaded first"] class dll_hijack technique proxy_execution["Defense Evasion – T1218 System Binary Proxy Execution Thunder.exe used as a proxy to execute the malicious DLL"] class proxy_execution technique trusted_proxy["Defense Evasion – T1127 Trusted Developer Utilities Proxy Execution Signed Thunder.exe masks malicious activity"] class trusted_proxy technique dll_injection["Execution – T1055.001 Dynamicu2011link Library Injection libexpat.dll runs antiu2011analysis checks and disables Windows Update service"] class dll_injection technique service_execution["Execution – T1569.002 Service Execution Stops wuauserv service to reduce visibility"] class service_execution technique sandbox_evasion["Defense Evasion – T1497 Virtualization/Sandbox Evasion Antiu2011debug and sandbox detection logic terminates execution in analysis environments"] class sandbox_evasion technique native_api_2["Execution – T1106 Native API Uses VirtualAllocEx and WriteProcessMemory to inject shellcode into explorer.exe"] class native_api_2 technique process_hollowing["Defense Evasion – T1055.012 Process Hollowing Explorer.exe launched in suspended state and payload hollowed into it"] class process_hollowing technique reflective_loading["Execution – T1620 Reflective Code Loading Donutu2011generated loader runs a managed payload entirely in memory"] class reflective_loading technique registry_persistence["Persistence – T1547.001 Registry Run Keys / Startup Folder Valley RAT stores plugin modules in HKCU\Console\* as REG_BINARY values"] class registry_persistence technique modify_registry["Persistence – T1112 Modify Registry Configuration parameters (C2 addresses, feature flags) written to the registry"] class modify_registry technique c2_web["Command and Control – T1071.001 Web Protocols Primary C2 communication over HTTP/HTTPS"] class c2_web technique c2_raw_tcp["Command and Control – T1095 Nonu2011Application Layer Protocol Supports raw TCP fallback when HTTP fails"] class c2_raw_tcp technique encrypted_channel["Command and Control – T1573 Encrypted Channel All C2 traffic and configuration payloads are encrypted"] class encrypted_channel technique fallback_channels["Command and Control – T1008 Fallback Channels Threeu2011tier C2 hierarchy with automatic failover"] class fallback_channels technique keylogging["Collection – T1056.001 Input Capture: Keylogging Keylogger capability enabled via configuration flag"] class keylogging technique obfuscation["Defense Evasion – T1027 Obfuscated Files or Information Payload stored encrypted in box.ini and decrypted at runtime"] class obfuscation technique code_signing["Defense Evasion – T1553.002 Subvert Trust Controls: Code Signing Legitimate signed Thunder.exe masks malicious activity"] class code_signing technique appcert_dll["Defense Evasion – T1546.009 Event Triggered Execution: AppCert DLLs Malicious libexpat.dll leverages DLL hijacking for execution"] class appcert_dll technique %% Nodes u2013 Files / Processes file_zip["File Malicious ZIP containing NSIS installer"] class file_zip file nsis_installer["File NSIS installer executed by the user"] class nsis_installer file thunder_exe["File Signed Thunder.exe used as proxy"] class thunder_exe file libexpat_dll["File Malicious libexpat.dll"] class libexpat_dll file box_ini["File Encrypted configuration payload (box.ini)"] class box_ini file explorer_exe["Process explorer.exe (target for injection)"] class explorer_exe process donut_loader["File Donutu2011generated reflective loader"] class donut_loader file %% Connections u2013 Attack Flow initial_phishing –>|downloads| file_zip file_zip –>|contains| nsis_installer nsis_installer –>|executes| user_execution user_execution –>|triggers| cmd_scripting cmd_scripting –>|uses| native_api_1 native_api_1 –>|writes| shared_modules shared_modules –>|drops| thunder_exe shared_modules –>|drops| libexpat_dll thunder_exe –>|enables| dll_hijack dll_hijack –>|facilitates| proxy_execution proxy_execution –>|leverages| trusted_proxy trusted_proxy –>|loads| dll_injection dll_injection –>|disables| service_execution service_execution –>|reduces visibility| sandbox_evasion sandbox_evasion –>|continues| native_api_2 native_api_2 –>|injects into| explorer_exe explorer_exe –>|hollowed by| process_hollowing process_hollowing –>|runs| reflective_loading reflective_loading –>|uses| donut_loader donut_loader –>|establishes| registry_persistence registry_persistence –>|stores| modify_registry modify_registry –>|configures| c2_web c2_web –>|fallback to| c2_raw_tcp c2_raw_tcp –>|secured by| encrypted_channel encrypted_channel –>|supports| fallback_channels fallback_channels –>|delivers| keylogging keylogging –>|records input| obfuscation obfuscation –>|protects| code_signing code_signing –>|masks| appcert_dll appcert_dll –>|executes via| dll_hijack %% Styling class initial_phishing,user_execution,cmd_scripting,native_api_1,shared_modules,dll_hijack,proxy_execution,trusted_proxy,dll_injection,service_execution,sandbox_evasion,native_api_2,process_hollowing,reflective_loading,registry_persistence,modify_registry,c2_web,c2_raw_tcp,encrypted_channel,fallback_channels,keylogging,obfuscation,code_signing,appcert_dll technique class file_zip,nsis_installer,thunder_exe,libexpat_dll,box_ini,donut_loader file class explorer_exe process "

Attack Flow

Attack Narrative & Commands:
An adversary delivers a malicious DLL alongside a dropped “Thunder.exe” to the victim’s %TEMP% directory. To avoid user suspicion, the payload is launched via the already‑running explorer.exe process using the Windows ShellExecute API, which results in a process‑creation event where explorer.exe appears as the parent. The malicious Thunder.exe subsequently loads the malicious DLL (DLL hijacking) and injects shellcode into the explorer.exe process (process injection), achieving code execution with the user’s token.

Regression Test Script:

# -------------------------------------------------
# Regression script to trigger the Sigma detection
# -------------------------------------------------
# 1. Prepare a fake Thunder.exe (copy of notepad.exe)
$tempDir   = "$env:TEMP"
$thunderPath = Join-Path -Path $tempDir -ChildPath "Thunder.exe"
Copy-Item -Path "$env:SystemRootsystem32notepad.exe" -Destination $thunderPath -Force

# 2. (Optional) Drop a malicious DLL next to it to mimic hijacking
$malDll = Join-Path -Path $tempDir -ChildPath "malicious.dll"
# For demonstration we just create an empty file; in a real test this would be a crafted DLL.
New-Item -Path $malDll -ItemType File -Force | Out-Null

# 3. Launch Thunder.exe via explorer.exe using ShellExecute (simulated with Start-Process -Verb RunAs)
$explorer = (Get-Process -Name explorer).Id
# Use PowerShell to start the process with explorer as the parent (requires low‑level API; here we approximate)
Start-Process -FilePath $thunderPath -ArgumentList "" -PassThru | Out-Null

# 4. Wait a short period to allow logs to be generated
Start-Sleep -Seconds 5

# 5. Clean‑up (handled in the next section)

Cleanup Commands:

# -------------------------------------------------
# Cleanup after the simulation
# -------------------------------------------------
# Remove the fake Thunder.exe and dummy DLL from %TEMP%
Remove-Item -Path "$env:TEMPThunder.exe" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPmalicious.dll" -Force -ErrorAction SilentlyContinue

# Optionally terminate any lingering Thunder.exe processes
Get-Process -Name "Thunder" -ErrorAction SilentlyContinue | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.