This threat involves a targeted campaign by the Chinese APT group Silver Fox focusing on Indian organizations through tax-themed phishing emails. The attack chain starts with a malicious email containing a PDF decoy designed to lure victims into executing an NSIS installer. This installer drops two key files: a legitimate Thunder.exe binary and a malicious libexpat.dll, which exploits DLL hijacking (technique T1574.001) to load the malicious DLL instead of the legitimate one. This hijacking enables the attacker to execute arbitrary code stealthily. The final payload is the Valley RAT, a modular remote access trojan that supports dynamic plugin loading, allowing the attacker to extend functionality as needed. Valley RAT uses a two-stage configuration loading mechanism and a sophisticated three-tier command and control (C2) communication loop to evade detection and maintain persistence. Persistence is further ensured through registry-based storage of configuration and modules. The campaign employs multiple MITRE ATT&CK techniques including phishing (T1566.001), DLL hijacking (T1574.001), execution through NSIS installers (T1218), and obfuscation (T1027). While the campaign currently targets Indian entities, the modular and stealthy nature of the malware could enable expansion or collateral compromise. Indicators of compromise include multiple file hashes, IP addresses, and domains associated with the C2 infrastructure. No CVE or known public exploits are reported, and the campaign is rated medium severity due to its complexity and targeted nature.

For European organizations, the direct impact is currently limited as the campaign targets Indian entities. However, the advanced techniques used—such as DLL hijacking and modular RAT architecture—pose a significant risk if the campaign expands geographically or if European organizations have business ties or shared infrastructure with Indian entities. The Valley RAT’s capability for dynamic plugin loading and persistence could lead to data exfiltration, espionage, or disruption of critical services if deployed in European networks. The use of tax-themed phishing lures indicates a focus on financial or governmental sectors, which are also critical in Europe. Additionally, the stealthy multi-stage infection chain complicates detection and response, increasing the risk of prolonged undetected compromise. The campaign’s modularity and registry persistence mechanisms could allow attackers to maintain long-term access, potentially impacting confidentiality, integrity, and availability of affected systems.

European organizations should implement advanced email filtering and phishing detection controls, especially for tax or finance-related communications, to block malicious attachments and links. Deploy endpoint detection and response (EDR) solutions capable of detecting DLL hijacking and anomalous NSIS installer executions. Monitor for suspicious registry modifications and unusual network traffic patterns indicative of multi-tier C2 communications. Employ application whitelisting to prevent unauthorized execution of installers and DLLs. Regularly audit and restrict DLL search order to mitigate hijacking risks. Conduct user awareness training focused on phishing threats leveraging tax or financial themes. Maintain updated threat intelligence feeds to detect known indicators such as file hashes, IPs, and domains associated with Silver Fox. Network segmentation and strict access controls can limit lateral movement if infection occurs. Finally, implement robust incident response plans to quickly isolate and remediate infections involving modular RATs like Valley RAT.