Silver Fox Trojan: China Cracks Down on Cybercrime Cells Across Five Provinces

by ddos · June 18, 2026

Silver Fox Trojan crackdown China police phishing domains CNCERT

Chinese police have dismantled several cybercrime cells tied to a new variant of the Silver Fox Trojan. The Ministry of Public Security’s cybersecurity bureau announced the crackdown this week, describing a malware operation that targeted corporate finance staff and government personnel across the country.

A Trojan Built for Financial Theft

According to the bureau, the Silver Fox variant is highly deceptive. It primarily targets employees at enterprises and public institutions, with a particular focus on financial personnel. Once a victim’s computer is infected, the malware grants attackers remote control. From there, it can steal account passwords, intercept SMS verification codes, and harvest private data.

This combination of capabilities makes Silver Fox especially dangerous for departments that handle payments, payroll, and sensitive internal communications. Attackers who gain this level of access can move quickly from a single infected machine to broader financial fraud.

Five Provinces, Multiple Criminal Cells

The clearest case on record comes from Jilin province. According to China Daily’s coverage of the crackdown, police uncovered a criminal gang led by a suspect surnamed Chen. The gang had developed a variant of the Silver Fox Trojan. They also used technical means to evade security detection. Investigators say the group sent phishing emails in bulk and stole corporate data. The resulting fraud scenarios totaled more than 7 million yuan, or roughly $1 million. Local police took criminal compulsory measures against Chen and 26 other suspects. The case remains under investigation.

Beyond Jilin, broader reporting on the Ministry of Public Security’s announcement points to arrests in four additional provinces. In Zhejiang, authorities identified a suspect surnamed Ji as the alleged developer and seller of the Silver Fox Trojan itself; four associates were detained alongside him. A separate Zhejiang case, involving a suspect surnamed Zhou and two accomplices, centered on fake app-download sites bundled with the trojan.

In Shandong, a suspect surnamed Yang and fifteen others were detained. Police say the group built phishing sites that pushed victims toward infected installer files. In Guangdong, a suspect surnamed Li and thirteen others face accusations of using the trojan to access systems remotely and steal online assets. Across all five provinces, the total number of suspects detained reportedly reaches into the mid-sixties. However, Jilin’s 27 detentions remain the only figure confirmed directly by Chinese state media.

Phishing Infrastructure Built at Scale

The malware’s distribution model leaned heavily on fake download pages. Attackers cloned the look of office software, browsers, VPN clients, and messaging apps, then pushed these cloned pages through search engines to reach victims searching for legitimate software.

China’s National Computer Network Emergency Response Technical Team, known as CNCERT, detailed the scope of this campaign in an advisory published in May. The team analyzed 439 phishing domains registered between February 6 and May 4, 2026. Two software categories dominated the impersonation effort. Fake WPS Office and Chrome pages accounted for 340 of the domains, or 77.4% of the total.

Domain registration followed a clear pattern. CNCERT observed registration bursts, including one stretch where attackers registered fifteen LetsVPN-themed domains within a single minute. Suffix choices were similarly concentrated, with .hl.cn and .com.cn domains together making up 73.4% of the dataset.

CNCERT also flagged the technical sophistication behind the pages themselves. The phishing sites promoted themselves through SEO poisoning on Bing. They also checked referer headers before loading. Visitors who arrived directly, rather than through a search result, were redirected to Bing or another harmless destination. This tactic was designed to frustrate researchers attempting to analyze the pages directly.

Notably, CNCERT’s analysts suspect that artificial intelligence tools helped generate the phishing pages. Despite targeting the same software brands repeatedly, the cloned pages varied in layout and structure between registration batches. That inconsistency, paired with clean, standardized front-end code and generic technology choices, pointed toward automated, AI-assisted page generation rather than manual cloning.

A Threat Tracked Under Many Names

Outside Chinese-language reporting, this malware family has drawn sustained attention from international researchers under several aliases, including Void Arachne, UTG-Q-1000, and TA4922. Coverage from The Hacker News has described the group’s use of lookalike domains mimicking Zoom, Signal, Telegram, Microsoft Teams, and Surfshark VPN. These fake domains were typically paired with remote access tools such as ValleyRAT and Winos.

The volume of independent research into this group is itself notable. Security vendors including Antiy, Qihoo 360, Check Point, Fortinet, Kaspersky, Proofpoint, and Trend Micro have all published separate analyses, documenting phishing infrastructure, search-engine-based distribution, tax-themed lures, and exploitation of vulnerable drivers.

Kaspersky researchers have separately linked the group’s tooling to attacks against organizations in Russia and India. Those campaigns used emails disguised as official tax notices and hid payloads inside compressed archives. The attackers then used a Rust-based loader to deploy ValleyRAT onto the victim’s machine. During that investigation, Kaspersky’s team also uncovered a previously undocumented backdoor, internally tracked as ABCDoor. This tool appears to have been part of the group’s toolkit since at least late 2024.

Recommended Defensive Steps

Following the arrests, Chinese police issued guidance for the public. They recommended downloading software only from official websites. Users should also carefully check domains to avoid lookalike characters, extra hyphens, or unofficial suffixes. Treat links shared in chat groups under the guise of meetings or subsidies with caution, and verify with the sender directly before clicking. If a computer begins behaving abnormally, such as the cursor moving on its own or messages being sent automatically, police advised disconnecting it from the network immediately. From there, users should change passwords from a separate secure device and run a full system scan.

These steps mirror standard guidance from international security researchers tracking the same malware family. Given how often Silver Fox-linked infrastructure mimics ordinary software downloads, verifying a source before installing anything remains the most reliable defense.