Full Report
Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when no one thinks twice about opening them
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
* **Actor Name:** Silver Fox
* **Known Aliases:** Suspected APT group or Chinese-speaking cybercrime group.
* **Associations:** Linked to the distribution of specific Chinese-origin malware families (e.g., ValleyRAT, WinOS).
* **Origin:** Suspected Chinese-speaking actors based on historical targeting and language usage (emails in Japanese often contain "awkward phrasing" suggesting non-native authorship).
## Activity Summary
Silver Fox is currently conducting a targeted spearphishing campaign in Japan, timed to coincide with the annual tax filing and organizational change season (March/April). The campaign leverages the high volume of legitimate HR and financial communications to trick employees into downloading malware. While active since at least 2023, this specific 2024–2025 activity mirrors campaigns observed during the same period in previous years, showing a consistent seasonal operational tempo.
## Tactics, Techniques & Procedures
* **Spearphishing (T1566.001):** Sends highly tailored emails using company-specific details in subject lines and body text.
* **Impersonation:** Spoofs sender fields to impersonate internal employees, including high-level executives (CEOs).
* **Pretexting:** Uses urgent topics such as tax compliance violations, salary adjustments, and Employee Stock Ownership Plan (ESOP) changes.
* **Defense Evasion:**
* Utilizing public file-hosting services to bypass email gateways.
* Compressing malicious payloads in archives (RAR/ZIP).
* **Social Engineering:** Alignment with local business cycles to reduce recipient suspicion.
* **Persistence & Monitoring:** Deploying RATs to maintain access, monitor user activity, and enable lateral movement.
## Targeting
* **Sectors:** Manufacturing, Finance, Healthcare, Gaming, Government, and Cybersecurity.
* **Geography:** Primarily Japan (current campaign); historically China, Southeast Asia (Taiwan, India), and potentially North America.
* **Victims:** Specifically targeting Japanese firms and their employees involved in HR and financial reporting.
## Tools & Infrastructure
* **Malware Families:**
* ValleyRAT
* WinOS 4.0
* **Infrastructure:**
* **File Hosting:** gofile[.]io, WeTransfer.
* **C2/Samples:** (Specific IoCs maintained in ESET's GitHub repository: `https[:]//github[.]com/eset/malware-ioc/tree/master/silver_fox`)
## Implications
Silver Fox demonstrated high adaptability by shifting from Chinese-speaking targets to a broader Asian footprint. Their strategy of "seasonal hunting" suggests a sophisticated understanding of corporate workflows. By gaining an initial foothold through HR/Tax lures, the actor positions itself to steal confidential corporate data, monitor sensitive internal communications, or deploy secondary payloads for financial gain or espionage.
## Mitigations
* **Verification Protocols:** Implement out-of-band verification (Teams, phone call) for any requests involving sensitive data, salary changes, or legal penalties.
* **Email Security:** Flag or block emails originating from external file-sharing sites (e.g., gofile[.]io) when they claim to be internal HR documents.
* **Security Awareness:** Educate employees to look for "stiff" or unnatural Japanese phrasing and to check if the sender’s display name matches the actual email address header.
* **Technical Controls:**
* Ensure robust endpoint protection (EDR) is active to detect RAT behavior.
* Maintain up-to-date software patches to prevent exploitation of secondary vulnerabilities once the perimeter is breached.
* Encourage immediate "forward as attachment" reporting of suspicious emails to the SOC/Security team.