DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/SILVER FOX
TLP:WHITETHREAT ACTOR DOSSIER // SILVER-FOX-APTFIRST SEEN: 2023

SILVER FOX

ALSO KNOWN AS: Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, Void Arachne
FROM:DMZ INTELLIGENCE DESK
ORIGIN:China (cybercrime nexus with suspected state alignment)
ATTRIBUTION:STATE-SPONSORED
STATUS:ACTIVE
FIRST OBSERVED:2023
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL76/100
RESOURCES84/100
PERSISTENCE84/100
STEALTH84/100
IMPACT76/100

SUBJECT PROFILE

Silver Fox is a China-linked APT group newly documented by Kaspersky (May 2026) as having significantly expanded its geographic targeting to include Russia and India, using tax-authority impersonation phishing to deploy a newly discovered Python-based backdoor called ABCDoor alongside the established ValleyRAT (Winos 4.0) RAT. The group's technical maturity is growing: ABCDoor features visual remote control via FFmpeg screen-broadcasting, DPAPI-encrypted persistence, and self-updating/self-deletion logic — distinct from traditional shell-based RATs. Over 1,600 malicious emails were recorded in a single month-long period in early 2026.

Espionage, credential theft, persistent network access across industrial and financial sectors

OPERATIONAL HISTORY

T1566 (Spearphishing - tax authority impersonation), T1027 (Obfuscated Files - Cython-compiled Python, RustSL loader), T1547 (Boot/Logon Autostart - Registry Run keys + scheduled tasks), T1055 (Process Injection - pythonw.exe masquerade), T1056 (Input Capture - keyboard/mouse emulation), T1113 (Screen Capture - FFmpeg Desktop Duplication API), T1115 (Clipboard Theft), T1041 (Exfiltration over C2 - asyncio/Socket.IO HTTPS), T1036 (Masquerading - Tailscale VPN directory mimicry), T1071 (Application Layer Protocol), T1485 (Data Destruction - self-deletion), T1195 (Supply Chain - modified open-source RustSL loader), T1497 (Virtualization/Sandbox Evasion - geofencing checks)

INDUSTRIAL
CONSULTING
RETAIL
TRANSPORTATION
FINANCIAL SERVICES
GOVERNMENT

KNOWN INFRASTRUCTURE

ValleyRAT (Winos 4.0) C2 infrastructure, ABCDoor C2 via 'abc' subdomain HTTPS channels, modified RustSL open-source shellcode loader, self-extracting RAR/ZIP delivery archives, multi-stage segmented C2 using separate addresses per attack phase, 'Phantom Persistence' technique hijacking Windows shutdown APIs

ATTRIBUTED CAMPAIGNS

FILE DATE: DEC 2025
Operation Tax Trap - India Wave
Silver Fox sends phishing emails impersonating India's Income Tax Department, delivering RustSL loader that deploys ValleyRAT and newly documented ABCDoor backdoor against industrial, consulting, and transportation organizations.
FILE DATE: JAN 2026
Operation Tax Trap - Russia Expansion
Nearly identical campaign pivots to Russian organizations impersonating Russian tax authorities; ████████████████████ emails logged in Jan–Feb 2026 with Japan added to supported country geofencing list, signaling further geographic expansion.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn