Tax-Themed Phishing Campaign in India Delivers ValleyRAT via DLL Hijacking
January 2nd, 2026
High
Our Cyber Threat Intelligence Unit is tracking an active phishing campaign attributed to the advanced persistent threat (APT) group Silver Fox, targeting Indian users and organizations with tax-themed social-engineering lures impersonating the Income Tax Department of India. This activity was publicly reported by CloudSEK on 24 December 2025. The campaign delivers the ValleyRAT modular remote access trojan (also tracked as Winos 4.0), using a multi-stage execution chain designed to evade security controls. Victims receive convincing phishing emails containing PDF decoys that redirect to attacker-controlled infrastructure hosting a ZIP archive containing an NSIS installer. The installer abuses a legitimate signed binary via DLL hijacking, performs anti-analysis and system tampering, and injects ValleyRAT into a trusted process to establish durable remote access and command-and-control (C2). The combination of credential theft, plugin-based surveillance capability, and long-term persistence techniques indicates a well-resourced campaign focused on sustained access to victim environments in India.
Technical Details
Attack Type: Targeted phishing with multi-stage malware delivery
Severity: High
Initial Access Vector: Tax-themed phishing email with malicious PDF attachment
Attack Chain:
Phishing emails impersonate the Income Tax Department of India and deliver a PDF decoy.
Opening the PDF redirects the victim to a malicious domain such as ggwk[.]cc, where a ZIP archive named tax affairs.zip is downloaded.
The ZIP contains a Nullsoft Scriptable Install System (NSIS) installer tax affairs.exe.
The installer drops a legitimate signed binary (Thunder.exe) and a malicious DLL (libexpat.dll) into the same directory to trigger DLL hijacking.
The malicious DLL:
performs anti-debugging and sandbox detection
disables Windows Update
decrypts and loads Donut shellcode
Shellcode is injected into explorer.exe using process hollowing.
ValleyRAT is unpacked and executed inside the trusted process.
The malware communicates with multi-tier C2 servers for tasking, plugin deployment, and data exfiltration.
Persistence is achieved via registry-resident plugins and configuration values stored under HKCU\Console*.
Observed Tooling:
NSIS installer (tax affairs.exe)
Signed binary abused for DLL hijack (Thunder.exe)
Malicious DLL (libexpat.dll)
ValleyRAT modular remote access trojan with plugin-architecture and keylogging capability
Impact
Successful compromise allows adversaries to:
Establish persistent remote access
Conduct credential harvesting and keylogging
Perform covert data exfiltration and system reconnaissance
Operate stealthily via DLL hijacking and in-memory execution
Expand access through lateral movement within enterprise networks
Given ValleyRAT’s extensible plugin framework and stealth properties, infection may remain undetected for prolonged periods.
Detection Method
Organizations should monitor for activity consistent with this campaign, including:
Tax-related phishing emails impersonating the Income Tax Department of India
Network activity resolving to or communicating with:
ggwk[.]cc
Additional Silver Fox infrastructure listed in the IOC section
Downloads of tax affairs.zip
Execution of NSIS installers from user directories
Signed binaries (Thunder.exe) loading unsigned DLLs (libexpat.dll) from non-standard paths
Process hollowing events involving explorer.exe
Registry-resident plugin blobs under HKCU\Console*
Outbound connections matching ValleyRAT C2 traffic patterns
Integration with EDR telemetry, script-execution logging, and DLL load monitoring is recommended.
Indicators of Compromise
Domain |
dingtalki[.]cn |
ggwk[.]cc |
b[.]yuxuanow[.]top |
ssl3[.]space |
itdd[.]club |
gov-a[.]work |
govk[.]club |
xzghjec[.]com |
gvo-b[.]club |
gov-a[.]fit |
gov-a[.]club |
gov-c[.]club |
hhiioo[.]cn |
kkyui[.]club |
hhimm[.]work |
swjc2025bjkb[.]cn |
2025swmm[.]cn |
hhiioo[.]work |
Hashes |
77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2 |
fa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19 |
f74017b406e993bea5212615febe23198b09ecd73ab79411a9f6571ba1f94cfa |
068e49e734c2c7be4fb3f01a40bb8beb2d5f4677872fabbced7741245a7ea97c |
IPs |
45[.]207[.]231[.]94 |
103[.]20[.]195[.]147 |
45.207.231[.]107 |
43.100.63[.]145 |
43.100.123[.]207 |
43.100.22[.]158 |
47.239.225[.]43 |
160.124.9[.]103 |
8.217.9[.]165 |
Recommendations
Defensive Controls:
Strengthen email filtering to detect government-themed phishing content and block malicious attachments.
Block known malicious domains and IPs at the network perimeter.
Restrict execution of NSIS installers and unsigned DLLs.
Enforce application control policies to prevent DLL hijacking via trusted binaries.
Deploy EDR detection rules for:
process hollowing
registry-based persistence
DLL load anomalies
Conduct threat-hunting for ValleyRAT-specific behaviors and plugins
User Awareness:
Train users to verify official tax communications
Reinforce guidance to avoid opening unsolicited attachments or links
Conclusion
The Silver Fox ValleyRAT campaign is a well-engineered, highly targeted operation against Indian organizations, leveraging governmental trust themes and layered stealth techniques. Its reliance on signed binary abuse, in-memory execution, and registry-based persistence increases the likelihood of prolonged, undetected compromise. We urge organizations, especially those based in India, to prioritize active monitoring, IOC-based blocking, and proactive threat hunting to mitigate associated risks.