{ "id": "e04d3eac-842e-4674-9744-ff955f756c72", "created_at": "2026-04-06T00:07:38.425905Z", "updated_at": "2026-04-10T03:37:20.3692Z", "deleted_at": null, "sha1_hash": "ac0f6e60cce4f0161b4ac1cd182e9e72c063c488", "title": "Silver Fox APT Blurs the Line Between Espionage \u0026 Cybercrime", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1482721, "plain_text": "Silver Fox APT Blurs the Line Between Espionage \u0026 Cybercrime\r\nBy Nate Nelson\r\nPublished: 2025-08-08 · Archived: 2026-04-05 16:10:54 UTC\r\nSource: Zoonar GmbH via Alamy Stock Photo\r\nA Chinese threat actor has been performing both intelligence-oriented and financially motivated attacks against a\r\nwide variety of primarily Chinese-speaking organizations.\r\nCompared to most, Silver Fox has a wide span of tactics, techniques, and procedures (TTPs) at its disposal. It\r\nmight gain initial access to victims by impersonating major organizations in phishing emails with malicious\r\nattachments. Or it will spread fake applications, or Trojanized versions of legitimate applications, through\r\nTelegram channels or websites boosted by search engine optimization (SEO) poisoning. Post-compromise, you\r\ncan expect a remote access Trojan (RAT), such as ValleyRAT, Winos 4.0, or Gh0stCringe or the HoldingHands\r\nRAT, two variants of Gh0st RAT. Or, perhaps, there'll be a keylogger waiting for you, with a cryptominer using\r\nyour machine resources to earn money.\r\nThis operational variety allows Silver Fox to wear different hats. Recent analyses by Picus Security, Trustwave,\r\nand other research firms have connected the group to the Chinese state, thanks to its penchant for stealing\r\nhttps://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime\r\nPage 1 of 3\n\nsensitive information from or disrupting organizations involved in critical infrastructure, cybersecurity,\r\ngovernment, etc., particularly in Taiwan.\r\nRelated:Iran Hacktivists Make Noise but Have Little Impact on War\r\nAt the same time, though, it has been carrying out attacks against gaming, healthcare, and finance companies, as\r\nwell as educational institutions, again largely in Taiwan, but also in Japan and North America. Many of these cases\r\nresemble run-of-the-mill cybercrime, with the clear goal of making money.\r\n\"While it's a more complex model than pure espionage or pure crime, this dual approach gives Silver Fox more\r\nflexibility, better cover, and broader reach,\" explains Sıla Özeren, security research engineer with Picus Security.\r\n\"Silver Fox is a major player, and it's also a warning sign. It signals a future where more Chinese APTs operate\r\nlike businesses: nimble, multimission, and willing to innovate in how they achieve both geopolitical and economic\r\nobjectives.\"\r\nThe Best of Both Worlds\r\nHistorically, North Korea has used its advanced persistent threats (APTs) for both characteristically nation-state-style attacks (e.g., intelligence gathering, disrupting critical industries) and cybercriminal attacks (e.g., scams,\r\nransomware, cryptomining).\r\nCrossing the line like this might appear uncharacteristic for China, whose APTs specialize not only in certain types\r\nof attacks, but even in granular roles within those attacks. There's precedent, however, most notably in the form of\r\nAPT41 (aka Barium, Double Dragon, Winnti), which has been tied to both espionage and financial theft.\r\nAccording to Özeren, APT41 and Silver Fox signal a \"broader trend\" in China's threat landscape.\r\nRelated:EU Sanctions Companies in China, Iran for Cyberattacks\r\nBut how to explain it? Why try to be a jack-of-all-trades when it's so much simpler to be a master of one?\r\n\"First, financially motivated attacks create a layer of plausible deniability. If a victim sees cryptocurrency miners\r\nor fake invoices, they're more likely to dismiss the intrusion as generic cybercrime rather than a coordinated state-backed operation. That misdirection buys the group time and helps them operate under the radar,\" Özeren\r\nexplains.\r\nSecond, she says, the financial angle gives Silver Fox to ability to fund itself. \"Instead of relying entirely on\r\ngovernment resources, they generate their own money, whether through cryptojacking or theft, which could be\r\nused to support broader operations,\" she says. \"It also suggests a degree of autonomy, or at least tolerance, from\r\nChinese authorities.\"\r\nLastly, \"by casting a wide net, the group opens itself up to more targets and more data. Even if some victims are\r\nlow-value from an intelligence standpoint, they might be useful for initial access, infrastructure, or long-term\r\nstrategic positioning. And occasionally, what starts as a low-level compromise might expose something much\r\nbigger, like credentials for a critical system or access to a partner network.\"\r\nRelated:SideWinder Espionage Campaign Expands Across Southeast Asia\r\nhttps://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime\r\nPage 2 of 3\n\nAt the end of the day, says Karl Sigler, senior security research manager at Trustwave, \"it's not too surprising. If\r\nanything, it's surprising that many other groups are so focused. Silver Fox's modus operandi suggests a broad skill\r\nset, from exploit development to social engineering and phishing attacks. If you have the resources, you might not\r\nhave to decide between a specific APT-type mission or an opportunistic, financially motivated attack.\"\r\nFor defenders in the Asia-Pacific region, Özeren says, \"that means facing threat actors who are not only persistent\r\nand stealthy, but also financially motivated and operationally diverse. Silver Fox fits that mold perfectly:\r\naggressive, fast-evolving, and hard to attribute.\"\r\nAbout the Author\r\nContributing Writer\r\nNate Nelson is a journalist and scriptwriter. He writes for \"Darknet Diaries\" — the most popular podcast in\r\ncybersecurity — and co-created the former Top 20 tech podcast \"Malicious Life.\" Before joining Dark Reading,\r\nhe was a reporter at Threatpost.\r\nSource: https://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime\r\nhttps://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime" ], "report_names": [ "silver-fox-apt-espionage-cybercrime" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434058, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac0f6e60cce4f0161b4ac1cd182e9e72c063c488.pdf", "text": "https://archive.orkl.eu/ac0f6e60cce4f0161b4ac1cd182e9e72c063c488.txt", "img": "https://archive.orkl.eu/ac0f6e60cce4f0161b4ac1cd182e9e72c063c488.jpg" } }