Date: 01/01/2026
Severity: High
Summary
A sophisticated phishing campaign targeting Indian entities has been attributed to the Chinese Silver Fox APT. The attackers used highly convincing Income Tax–themed lures to deliver malware through a complex kill chain involving DLL hijacking and the modular Valley RAT, enabling long-term persistence. Previously misattributed to SideWinder, the campaign highlights the importance of accurate threat attribution to avoid defensive misdirection and ensure effective countermeasures.
Indicators of Compromise (IOC) List
Urls/Domains | ggwk.cc b.yuxuanow.top itdd.club xzghjec.com gov-a.work gov-a.fit gvo-b.club gov-c.club gov-a.club govk.club dingtalki.cn hhiioo.cn kkyui.club hhimm.work swjc2025bjkb.cn 2025swmm.cn hhiioo.work |
IP Address | 43.100.63.145 45.207.231.94 103.20.195.147 45.207.231.107 8.217.9.165 160.124.9.103 47.239.225.43 43.100.22.158 43.100.123.207 |
Hash | 77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2
fa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19
f74017b406e993bea5212615febe23198b09ecd73ab79411a9f6571ba1f94cfa
068e49e734c2c7be4fb3f01a40bb8beb2d5f4677872fabbced7741245a7ea97c
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "swjc2025bjkb.cn" or siteurl like "swjc2025bjkb.cn" or url like "swjc2025bjkb.cn" or domainname like "itdd.club" or siteurl like "itdd.club" or url like "itdd.club" or domainname like "hhiioo.cn" or siteurl like "hhiioo.cn" or url like "hhiioo.cn" or domainname like "xzghjec.com" or siteurl like "xzghjec.com" or url like "xzghjec.com" or domainname like "b.yuxuanow.top" or siteurl like "b.yuxuanow.top" or url like "b.yuxuanow.top" or domainname like "hhimm.work" or siteurl like "hhimm.work" or url like "hhimm.work" or domainname like "gov-a.fit" or siteurl like "gov-a.fit" or url like "gov-a.fit" or domainname like "gvo-b.club" or siteurl like "gvo-b.club" or url like "gvo-b.club" or domainname like "kkyui.club" or siteurl like "kkyui.club" or url like "kkyui.club" or domainname like "gov-a.club" or siteurl like "gov-a.club" or url like "gov-a.club" or domainname like "ggwk.cc" or siteurl like "ggwk.cc" or url like "ggwk.cc" or domainname like "gov-c.club" or siteurl like "gov-c.club" or url like "gov-c.club" or domainname like "gov-a.work" or siteurl like "gov-a.work" or url like "gov-a.work" or domainname like "govk.club" or siteurl like "govk.club" or url like "govk.club" or domainname like "dingtalki.cn" or siteurl like "dingtalki.cn" or url like "dingtalki.cn" or domainname like "2025swmm.cn" or siteurl like "2025swmm.cn" or url like "2025swmm.cn" or domainname like "hhiioo.work" or siteurl like "hhiioo.work" or url like "hhiioo.work" |
Detection Query 2 : | dstipaddress IN ("43.100.63.145","45.207.231.94","45.207.231.107","160.124.9.103","43.100.22.158","43.100.123.207","103.20.195.147","47.239.225.43","8.217.9.165") or srcipaddress IN ("43.100.63.145","45.207.231.94","45.207.231.107","160.124.9.103","43.100.22.158","43.100.123.207","103.20.195.147","47.239.225.43","8.217.9.165") |
Detection Query 3 : | sha256hash IN ("fa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19","77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2","f74017b406e993bea5212615febe23198b09ecd73ab79411a9f6571ba1f94cfa","068e49e734c2c7be4fb3f01a40bb8beb2d5f4677872fabbced7741245a7ea97c")
|
Reference:
https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures#kill-chain