Silver Fox APT blurs the line between espionage and cybercrime

(Jessie Feross / Pixabay)

By Nate Nelson • Aug 08, 2025

A Chinese threat actor has been performing both intelligence-oriented and financially motivated attacks against a wide variety of primarily Chinese-speaking organizations.

Compared to most, Silver Fox has a wide span of tactics, techniques, and procedures (TTPs) at its disposal. It might gain initial access to victims by impersonating major organizations in phishing emails with malicious attachments. Or it will spread fake applications, or Trojanized versions of legitimate applications, through Telegram channels or websites boosted by search engine optimization (SEO) poisoning. Post-compromise, you can expect a remote access Trojan (RAT), such as ValleyRAT, Winos 4.0, or Gh0stCringe or the HoldingHands RAT, two variants of Gh0st RAT. Or, perhaps, there’ll be a keylogger waiting for you, with a cryptominer using your machine resources to earn money.

This operational variety allows Silver Fox to wear different hats. Recent analyses by Picus Security, Trustwave, and other research firms have connected the group to the Chinese state, thanks to its penchant for stealing sensitive information from or disrupting organizations involved in critical infrastructure, cybersecurity, government, etc., particularly in Taiwan.