Silver Fox, first observed in 2024, has quickly grown into a major cyber threat, initially targeting Chinese-speaking users. The group employs a wide range of techniques, including targeted phishing, SEO poisoning, and the distribution of trojanized software. Unlike actors focused solely on RAT deployment, Silver Fox operates as a hybrid threat, combining cyber espionage with criminal objectives such as deploying custom malware, stealing credentials, and installing tools for persistent remote access. Our investigation in early 2025 uncovered attacks using the Winos malware against users in Taiwan. Further analysis revealed these incidents were part of a larger, coordinated campaign affecting multiple Asian regions.
Notably, Silver Fox demonstrates versatility in its tool selection. In addition to custom malware like Winos and HoldingHands, the group has started abusing legitimate Remote Monitoring and Management (RMM) software to carry out data theft. These signed RMM tools, normally used for IT administration, give attackers a layer of credibility that helps them avoid detection. By blending malicious activity with trusted applications, Silver Fox can bypass standard security controls and operate under the radar.
This presentation offers a comprehensive technical investigation into the Silver Fox campaign, dissecting their attack chains, analyzing the behavior of RAT tools, and detailing the execution patterns of commercially available RMM software. By correlating infrastructure across related clusters, we reveal valuable insights for defenders, including key indicators and patterns to facilitate early detection. This presentation concludes with a discussion of persistent patterns in Silver Fox’s infrastructure and tool selection, aiding in accurate attribution and proactive threat hunting initiatives.