EXECUTIVE SUMMARY:
A phishing campaign attributed to Silver Fox has been observed targeting Indian organizations and individuals by leveraging highly convincing tax-themed lures that mimic official communications. The initial access is achieved through emails with decoy attachments claiming to be tax-related documents, which entice recipients into downloading malicious payloads. This campaign is notable for its use of credible social engineering and complex multi-stage malware designed to establish persistent remote access on compromised systems.
The attack begins with a phishing email containing a PDF attachment masquerading as an official tax document. When opened, it redirects the victim to a website that serves a ZIP archive containing an executable. This executable is an NSIS installer that drops a legitimate signed binary alongside a malicious DLL, which is loaded through DLL hijacking to bypass security controls. The malicious DLL performs anti‑debugging checks, disables Windows Update services, decrypts an embedded payload, and uses process injection to compromise a legitimate Windows process. In memory, a shellcode loader generated via Donut wraps and executes a final payload entirely in memory, avoiding disk artifacts. The ultimate payload is a modular remote access trojan (RAT) that loads a configuration containing tiered command‑and‑control (C2) servers and enables capabilities such as keylogging, remote shell access, file transfer, and dynamic plugin execution. This RAT also persists through registry‑based storage of its components and implements multi‑tier failover C2 communication with configurable beaconing intervals to reduce detection.
This campaign underscores the continued evolution of nation‑state threat actors in combining social engineering with advanced multi‑stage malware techniques to target specific regional audiences. The use of familiar tax‑related themes increases the likelihood of user interaction, while the layered execution chain and registry‑resident persistence mechanisms make detection and remediation challenging. Security teams should prioritize detection of anomalous execution patterns and strengthen phishing defenses to mitigate similar threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.005 | Command and Scripting Interpreter | Visual Basic | |
| T1106 | Native API | — | |
| T1129 | Shared Modules | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| T1574.001 | Hijack Execution Flow | DLL | |
| Defense Evasion | T1218.011 | System Binary Proxy Execution | Rundll32 |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| T1497.001 | Virtualization/Sandbox Evasion | System Checks | |
| T1562.001 | Impair Defenses | Disable or Modify Tools | |
| T1112 | Modify Registry | — | |
| Discovery | T1057 | Process Discovery | — |
| T1082 | System Information Discovery | — | |
| Collection | T1056.001 | Input Capture | Keylogging |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1095 | Non-Application Layer Protocol | — | |
| T1105 | Ingress Tool Transfer | — | |
| T1573.002 | Encrypted Channel | Asymmetric Cryptography | |
| T1008 | Fallback Channels | — | |
| Impact | T1489 | Service Stop | — |
REFERENCES:
The following reports contain further technical details: