SilverFox Unleashes Massive Malware Campaign: 2,800+ Domains Target Chinese-Speaking Users Worldwide

The Chinese cyber group known as SilverFox, active since June 2023, has launched one of the most expansive malware distribution campaigns targeting Windows to date. Focusing on Chinese-speaking users worldwide—including business professionals operating outside of China—the group has deployed over 2,800 purpose-built domains to deliver malicious payloads, exfiltrate sensitive data, and potentially infiltrate corporate networks.

The campaign makes extensive use of counterfeit websites, featuring fake application download portals, login pages, and software update interfaces. These sites convincingly mimic well-known platforms—from Gmail to cryptocurrency exchanges—as well as tools for marketing and corporate communications. The bait often takes the form of seemingly legitimate applications that, in reality, execute malicious scripts. One such example involves a fraudulent Gmail login page, which prompts users to download a file named flashcenter_pl_xr_rb_165892.19.zip after entering their credentials. The archive contains an installer that launches several malicious executables and retrieves encrypted payloads from external sources.

An analysis of 850 domains registered since December 2024 revealed that as of June 2025, 266 of them remained active. The temporal patterns of domain registration and initial DNS activity indicate that operations predominantly occur during Chinese business hours, suggesting a hybrid model of automation and manual oversight—from infrastructure acquisition to the deployment of infected sites.

SilverFox continually adapts its tactics in response to detection. In recent months, the group has begun deploying scripts designed to evade automated analysis and security checks. It has also phased out traditional tracking tools like Baidu and Facebook to reduce the risk of exposure. The group’s infrastructure has grown more decentralized, with a broader distribution of IP addresses, further complicating signature-based detection and blocking.

Camouflage techniques include impersonating popular payment platforms. For instance, yeepays[.]xyz mimics Alipay’s interface, while coinbaw[.]vip redirects users to fraudulent login pages resembling those of major cryptocurrency exchanges like Coinbase. Upon entering credentials, users unwittingly hand over access to the attackers, who then serve them malicious executables disguised as helpful utilities.

A detailed examination of the malware chains revealed the presence of downloaders masquerading as legitimate Windows system processes and decryption routines for encrypted components that bypass standard security defenses—making detection exceptionally difficult.

Despite the efforts of established defense systems like Google Safe Browsing and Microsoft Defender SmartScreen, SilverFox continues to evade them through sophisticated obfuscation, domain rotation, and finely tuned social engineering techniques. Security experts recommend bolstering defenses with a multi-layered strategy—ranging from advanced threat detection and DNS filtering systems to regular phishing simulations and mandatory multi-factor authentication.

SilverFox exemplifies how scale, resilience, and linguistic localization empower threat actors to launch highly effective attacks—particularly against individuals in sales, marketing, and cross-border ventures involving Chinese partners.