The notorious China-based cybercrime group, Silver Fox, has evolved its tactics, shifting from using Remote Access Trojans (RATs) to deploying custom Python-based stealers in its campaigns.
Originally focused on financial gain, the group now conducts dual-objective operations, blending financially motivated attacks with espionage-like strategies. The most recent campaigns highlight this transition and the continuous refinement of the group’s tools and techniques.
From RATs To Python Stealers
Silver Fox initially gained notoriety for using ValleyRAT, a modular backdoor, to infect victims. This tool was primarily delivered through phishing emails containing malicious attachments, such as PDFs disguised as official tax documents.
The malware could log keystrokes, take screenshots, exfiltrate data, and grant attackers remote control. However, in late 2025 and early 2026, the group began diversifying its malware arsenal, moving away from RATs and adopting a more covert Python-based stealer.
In early 2026, the group began using a Python stealer disguised as a WhatsApp application. This new tactic involves an executable that collects valuable data from infected devices, including login credentials and financial information.
The Python stealer uploads the stolen data to a command-and-control (C2) server that appears to be a legitimate WhatsApp server.
Broader Impact and Opportunistic Targeting
While earlier campaigns focused on specific geopolitical targets, such as Taiwan and China, recent Silver Fox attacks have been more widespread, impacting countries across South Asia, including Malaysia, Indonesia, and Singapore.
These attacks often start with phishing emails that impersonate tax authorities or payroll organizations, exploiting the victim’s trust in official communication.
Silver Fox’s transition to Python stealer indicates a shift toward stealthier, financially motivated attacks.
While the group still maintains a foothold in espionage, the use of commonly available tools, such as Python stealers, marks a shift toward general-purpose malware favored by cybercriminals.
This shift reflects Silver Fox’s dual nature sekoia targeting both high-value espionage objectives and broader, opportunistic cybercrime campaigns. As the group adapts to new tactics, it remains a persistent threat to entities in South Asia and beyond.
This ongoing evolution demonstrates the dynamic nature of modern cyber threats, where attackers continuously refine their tactics to evade detection and maximize their impact.
As Silver Fox continues to evolve, its ability to maintain operational flexibility in both espionage and financial cybercrime makes it a formidable adversary on the cyber threat landscape.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
