Silver Fox in Japan: A Rakuten Invoice Lure, a MaxxAudio DLL Sideload, and a Registrant Who Couldn't Decide Between Kyoto and Saitama
A live ValleyRAT config pull ties a Japanese-language invoice campaign to a stock Gh0st panel, a Hong Kong C2 on port 886, and a fabricated Japanese WHOIS with two contradictory prefectures.
Tip from a researcher who pulled the live config on April 16. Thank you for sharing it.
TL;DR
A Japanese-language invoice campaign impersonating Rakuten dropped a ValleyRAT implant on April 16, 2026. The chain is unusually textbook: an Electronic12862330415.zip hosted at missallanahstarr[.]com, a legitimate signed Dell/Waves MaxxAudioControl64.exe, a sideloaded MaxxAudioAPOShell64.dll, and a C2 beacon to 137.220.153[.]175:886 on BGPNET in Hong Kong.
The operator tradecraft is not textbook. The delivery domain's WHOIS lists a registrant on a 163.com NetEase email address — a Chinese provider — with a Japanese name and a Japanese phone number. The address reads "Kyoto, Saitama, JP." Kyoto and Saitama are two different prefectures on opposite sides of Honshu. It is the WHOIS equivalent of writing "New York, Texas." The domain was registered in June 2025, sat dormant for ten months, and was updated on April 15 — the day before the campaign fired.
Inside the implant, two of the config fields we would expect to carry a campaign name or operator tag contain 默认备注 and 默认分组 — the literal Chinese strings "default remark" and "default group." These are the stock placeholder values shipped with Gh0st RAT-family panel builders. The operator built the payload and never filled the fields in.
The Silver Fox APT family call — also tracked as Void Arachne, CL-STA-0048, UTG-Q-1000 — was made by the researcher who pulled the live config. We treat that as the authoritative attribution here. The signals in this writeup (stock Gh0st-family defaults, DLL-sideloading-of-signed-software tradecraft, 163.com registrant, Japan-targeted lure, Hong Kong C2 on a non-standard port) are what backs that call against the public record, not an independent derivation of it.
What This Report Adds to the Public Record
- Documents a live ValleyRAT / Winos 4.0 campaign targeting Japanese victims with a Rakuten invoice lure on 2026-04-16
- Ties the campaign to Silver Fox APT via the broader DLL-sideloading-of-signed-software tradecraft, stock Gh0st-family panel defaults, and Chinese registrant infrastructure (MaxxAudio specifically appears novel to this campaign — see note in "The Delivery" section)
- Identifies the delivery domain
missallanahstarr[.]comas registered with fabricated Japanese WHOIS (contradictory prefectures, 163.com email, update timestamp one day before campaign launch) - Confirms C2 on
137.220.153[.]175:886, hosted on AS4907 BGPNET PTE. LTD. in Hong Kong — a network previously documented as a top-10 C2 hosting provider by Recorded Future - Publishes SHA-256 hashes for the ZIP, the legitimate sideloading EXE, and the malicious
MaxxAudioAPOShell64.dll - Provides YARA detection and defender guidance
Silver Fox's expansion into Japan has been documented by Rescana, The Hacker News, Dark Lab HK, Nextron Systems, Fortinet, Malwarebytes, and others since late 2025. This report is one more data point in that trajectory — a specific lure, a specific C2, a specific set of registration tells — not a first sighting. If any of this overlaps with unpublished work you have on the same cluster, reach out and we will credit you.
The WHOIS That Gave It Away
The delivery domain was the first thing that didn't add up.
| WHOIS Field | Value |
|---|---|
| Domain | missallanahstarr[.]com |
| Registrar | PacificDomains, LLC |
| Registrant Name | hei fei zhe ye |
| Registrant Address | Kyoto, Saitama, JP |
| Registrant Email | lugai665@163.com |
| Registrant Phone | +81.713546623 |
| Created | 2025-06-12 |
| Updated | 2026-04-15 |
| Expires | 2026-06-12 |
| Nameservers | a8.share-dns[.]com, b8.share-dns[.]net |
Three things are off.
The address lists Kyoto and Saitama together. Kyoto is a prefecture in the Kansai region. Saitama is a prefecture in Kanto, adjacent to Tokyo. They are roughly 450 kilometers apart. Anyone actually living in Japan would not write them as a single address. It reads like an operator pasting two familiar-sounding prefecture names into the city and state fields without checking what they mean.
The registrant email is on 163.com. That is NetEase — one of the largest consumer email providers in China. Not impossible for a Japanese registrant, but paired with the fabricated address and a Japanese-language operation, it is a pattern.
The domain was created on 2025-06-12 and updated on 2026-04-15. The campaign was observed in the wild on 2026-04-16. The domain aged for ten months, then touched its registration on the day before the campaign fired. That is consistent with operational tempo — final DNS or registrar preparation immediately before use.
The expiration is exactly one year from creation, with no renewal padding. Combined with the short-runway update, the operator was not planning to keep this domain around.
The Lure: A Rakuten Invoice
The delivery vector is a Japanese-language invoice email impersonating Rakuten, one of Japan's largest e-commerce and financial services brands. The email references an invoice number (GH-58420391) and a modest yen amount (12,000 yen tax-included). It links to the legitimate rakuten.co.jp in one place — pure brand-abuse cover — and to hxxp://missallanahstarr[.]com/ for the "attached" electronic statement.
The payload name is Electronic12862330415.zip. Japanese invoice emails routinely carry attachment filenames like this — long numeric strings, English word prefix, ZIP or PDF extension. The naming convention is designed to match what a Japanese recipient is used to seeing. That choice, combined with Rakuten brand impersonation, places this firmly in the commercial fraud tier of Silver Fox's documented operations rather than its espionage-flavored campaigns.
Rakuten is named here as the impersonated brand only. No Rakuten system or Rakuten customer was compromised. Brand impersonation is the relevant finding.
The Delivery: MaxxAudio DLL Sideloading
Unpacking the ZIP produces two files:
| File | Role | Size | SHA-256 |
|---|---|---|---|
| MaxxAudioControl64.exe | Legitimate Dell/Waves Audio signed PE32+ | 3,209,000 B | 610d48ae96a2494ebfd760d4ff6647bb95f57fac92f4bc8513329f1337d6c7f2 |
| MaxxAudioAPOShell64.dll | Malicious sideloaded DLL | 104,448 B | 17d6415df0d336e255df7689ae90039e48fd6e95d43fbbc34d5b4875ea9af47d |
MaxxAudioControl64.exe is a real, signed, clean Dell Waves Audio binary. It is the kind of executable that would fly through any application allowlist that trusts Dell's or Waves Audio's code-signing certificates. When launched, it loads MaxxAudioAPOShell64.dll from its working directory via LoadLibraryA. On a clean system that DLL comes from a protected Program Files path. In this attack, it comes from the ZIP the victim just extracted.
The sideloading surface is a documented Waves MaxxAudio registry weakness. VerSprite's VS-Labs research on Waves MaxxAudio documented how the ExternalModule registry key and the LoadLibraryA call in MaxxAudioAPOShell64.dll can be coerced into loading an attacker-controlled DLL path when permissions permit. That vulnerability research is generic — it does not itself attribute MaxxAudio abuse to any particular actor.
A note on the MaxxAudio vector
DLL sideloading via legitimate signed software is a well-documented Silver Fox / ValleyRAT tradecraft pattern. Prior reporting has covered SodaMusicLauncher.exe (ByteDance) — see Dark Lab HK — as well as shine.exe with a rogue libcef.dll, Foxit PDF Reader abuse documented by Trend Micro, and renamed Cyren AV binaries (TO7RUF.exe, originally vseamps.exe) documented by Check Point Research. These give the "signed-binary sideloads malicious DLL" TTP a solid evidentiary base.
MaxxAudio (MaxxAudioControl64.exe + MaxxAudioAPOShell64.dll) as a Silver Fox sideloading vector does not appear in the public record prior to this campaign. If it has been documented elsewhere and we have missed the citation, please reach out — we will update this post and credit you. Our attribution therefore rests on the pattern (DLL sideloading of signed software) rather than MaxxAudio specifically, plus the other signals below (stock Gh0st-family config defaults, 163.com registrant, Japan targeting, Hong Kong C2 on a non-standard port).
Treat MaxxAudio as either a novel variation within Silver Fox's sideloading repertoire or as a data point worth confirming against other researchers' unpublished telemetry. Given the vulnerability surface exists and is well-documented by VerSprite, it is a plausible tool for any actor already running this playbook — but public attribution of MaxxAudio abuse to Silver Fox specifically is, to our knowledge, new.
Once loaded, the malicious DLL decodes an encrypted payload, writes staging data to C:\Users\Public\Documents\94a3c123872341ef93a035e8534a1b8a, and beacons to the C2.
The staging path itself is a tell. A randomly generated GUID-like directory under Users\Public\Documents is consistent with ValleyRAT/Winos 4.0's documented on-disk layout.
The C2: 137.220.153[.]175 on Port 886
The C2 server sits on 137.220.153[.]175, TCP port 886. No TLS handshake, no HTTPS — a custom binary protocol consistent with ValleyRAT's CTcpSocket-based transport.
| Property | Value |
|---|---|
| ASN | AS4907 BGPNET PTE. LTD. |
| Location | Hong Kong |
| Port | 886/tcp |
| Protocol | Custom binary (ValleyRAT / Winos 4.0) |
Two things are worth noting about the hosting.
AS4907 BGPNET PTE. LTD. is a sister network to AS64050 BGPNET Global. In Recorded Future's 2022 Adversary Infrastructure Report, BGPNET Global was ranked as a top-10 C2 hosting provider by volume — 181 active C2s observed across that year. It later fell out of the top-10 as volume decreased. The network has a durable history of hosting C2 infrastructure and has not been substantially remediated.
Port 886 is non-standard and a ValleyRAT family signature. Published Silver Fox / ValleyRAT reporting has observed C2 ports including 5040, 5050, 5178, 5689, 9000, 9899, 14852, and 18852. The pattern is a rotation of obscure high ports rather than reuse of 80/443. 886 fits the profile.
The delivery domain resolves to a second Hong Kong host on a different ASN:
| Property | Delivery host (103.115.56[.]66) |
|---|---|
| ASN | AS55933 Cloudie Limited |
| Hostname | unknown.itsidc[.]com |
| Location | Hong Kong |
Both C2 and delivery are in Hong Kong but on separate autonomous systems. Split hosting is consistent with Silver Fox's established infrastructure discipline.
The Config Strings: Stock Panel Defaults
Two config fields recovered from the live pull are the most direct tell in this campaign:
| Field | UTF-8 bytes | Decoded | Meaning |
|---|---|---|---|
| Campaign_ID | e9 bb 98 e8 ae a4 e5 a4 87 e6 b3 a8 | 默认备注 | "default remark" |
| Operator_ID | e9 bb 98 e8 ae a4 e5 88 86 e7 bb 84 | 默认分组 | "default group" |
These strings are not a campaign name or an operator handle. They are the literal placeholder text shipped by Gh0st RAT-family panel builders — including ValleyRAT/Winos 4.0, Sainbox RAT, and Farfli. When a panel operator generates a new payload, those fields are pre-filled with 默认备注 and 默认分组. The operator is expected to overwrite them with something meaningful before building.
This operator did not. The builder's UI strings shipped straight into the compiled implant.
Two readings are plausible:
- A newer operator. Someone working with a Gh0st/ValleyRAT panel for the first time, who did not customize the builder before generating. This is common for panels distributed through Chinese-language underground forums that include the builder as an all-in-one bundle.
- Deliberate opsec. An experienced operator who treats the campaign ID as a leak surface and ships defaults on purpose to avoid embedding an attributable tag.
Either reading is compatible with Silver Fox. The first fits the expansion of Silver Fox operations through less-skilled affiliates observed through 2025-2026. The second fits the discipline visible in the split hosting and the aged delivery domain.
What the strings rule out is a careful campaign-naming operator. Whoever built this payload did not leave a campaign tag in it.
Attribution: Silver Fox APT (HIGH CONFIDENCE — as called by the tipping researcher)
The Silver Fox APT attribution on this campaign was called by the researcher who pulled the live config and shared it with us. Our role in this writeup is to package, structure, and pattern-check — not to independently derive the family call. The signals below are what backs the researcher's call against the public record on Silver Fox / ValleyRAT tradecraft. Read the confidence as: we find the call consistent with the signals we can see; confirmation from other teams tracking Silver Fox Japan operations would strengthen or revise it.
| Evidence | Weight | Notes |
|---|---|---|
| ValleyRAT / Winos 4.0 family | Strong | Silver Fox's primary tool, Gh0st RAT derivative |
| DLL sideloading of legitimate signed software | Strong | Documented Silver Fox TTP across 2025-2026 (SodaMusicLauncher, Foxit, renamed AV binaries); MaxxAudio specifically is novel here |
| Stock Gh0st-panel config defaults | Strong | Chinese-language panel builder artifact |
| 163.com registrant email | Moderate | NetEase (China) consumer email provider |
| Fabricated Japanese WHOIS (Kyoto + Saitama) | Moderate | Lure spoofed to look Japanese; registrant actually Chinese |
| Japanese-language Rakuten invoice lure | Strong | Silver Fox confirmed targeting Japan since December 2025 |
| Hong Kong C2 + Hong Kong delivery (split ASN) | Moderate | Consistent with Silver Fox infrastructure pattern |
| Non-standard C2 port 886 | Moderate | Matches the ValleyRAT obscure-port rotation |
Alternative hypotheses considered and set aside:
- Generic Gh0st operator. Possible, but the combination of signed-binary DLL sideloading, Japan targeting, and split Hong Kong hosting fits Silver Fox's 2025-2026 operational profile more cleanly than a commodity Gh0st deployment.
- Sainbox RAT. The family shares config defaults, but Sainbox's delivery patterns differ, and the ValleyRAT/Winos 4.0 behavioral signature (binary C2 protocol, GUID-style public staging directory) fits better here.
- Winnti / APT41 crossover. Silver Fox has documented tooling overlaps with Winnti, but this campaign's commercial-fraud character fits Silver Fox's documented Japan operations rather than Winnti's espionage targeting.
Threat actor naming concordance:
| Vendor | Name |
|---|---|
| Community | Silver Fox |
| Trend Micro | Void Arachne |
| Palo Alto Unit 42 | CL-STA-0048 |
| Chinese industry | UTG-Q-1000 |
| Malpedia | win.valley_rat |
IOC Table
Network
| Indicator | Type | Context |
|---|---|---|
| 137.220.153[.]175 | IPv4 | C2 server |
| 137.220.153[.]175:886 | IP:Port | ValleyRAT C2 beacon |
| missallanahstarr[.]com | Domain | Payload delivery |
| 103.115.56[.]66 | IPv4 | Delivery host (resolution of delivery domain) |
| a8.share-dns[.]com | Nameserver | Delivery domain DNS |
| b8.share-dns[.]net | Nameserver | Delivery domain DNS |
Files
| Hash | File | Role |
|---|---|---|
f0fc5a9aead0bed9f97e4a007bf712aef4ab95e1abaf6150fee7f51602d57347 | Electronic12862330415.zip | Delivered archive |
610d48ae96a2494ebfd760d4ff6647bb95f57fac92f4bc8513329f1337d6c7f2 | MaxxAudioControl64.exe | Legitimate Dell/Waves loader (signed) |
17d6415df0d336e255df7689ae90039e48fd6e95d43fbbc34d5b4875ea9af47d | MaxxAudioAPOShell64.dll | Malicious sideloaded DLL |
Host Artifacts
| Indicator | Context |
|---|---|
C:\Users\Public\Documents\94a3c123872341ef93a035e8534a1b8a | On-disk staging directory (GUID-style) |
默认备注 | ValleyRAT config Campaign_ID field (stock default) |
默认分组 | ValleyRAT config Operator_ID field (stock default) |
WHOIS
| Indicator | Context |
|---|---|
lugai665@163.com | Delivery domain registrant email (NetEase / China) |
hei fei zhe ye | Delivery domain registrant name (likely fabricated) |
+81.713546623 | Delivery domain registrant phone (format suspect) |
Machine-readable copy of these IOCs is published in the breakglass-intel GitHub repository.
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing: Spearphishing Link | T1566.002 |
| Execution | User Execution: Malicious File | T1204.002 |
| Defense Evasion | DLL Search Order Hijacking | T1574.001 |
| Defense Evasion | DLL Side-Loading | T1574.002 |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 |
| Defense Evasion | Signed Binary Proxy Execution | T1218 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Command and Control | Non-Standard Port | T1571 |
| Command and Control | Application Layer Protocol | T1071 |
| Collection | Archive Collected Data | T1560 |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 |
| Resource Development | Acquire Infrastructure: Server | T1583.004 |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 |
YARA
rule SilverFox_ValleyRAT_Japan_MaxxAudio_Sideload
{
meta:
author = "Breakglass Intelligence"
description = "Detects the April 2026 Silver Fox / ValleyRAT Japan campaign sideloaded DLL and ZIP payload"
date = "2026-04-17"
reference = "https://intel.breakglass.tech/post/silver-fox-valleyrat-japan-rakuten-lure"
hash_zip = "f0fc5a9aead0bed9f97e4a007bf712aef4ab95e1abaf6150fee7f51602d57347"
hash_dll = "17d6415df0d336e255df7689ae90039e48fd6e95d43fbbc34d5b4875ea9af47d"
strings:
$dll_name = "MaxxAudioAPOShell64.dll" ascii wide nocase
$stage_path = "Users\\Public\\Documents\\94a3c123872341ef93a035e8534a1b8a" ascii wide
$default_remark = { E9 BB 98 E8 AE A4 E5 A4 87 E6 B3 A8 } // 默认备注 UTF-8
$default_group = { E9 BB 98 E8 AE A4 E5 88 86 E7 BB 84 } // 默认分组 UTF-8
$rtti_socket = "CTcpSocket" ascii
$rtti_kernel = "CKernelManager" ascii
$c2_ip = "137.220.153.175" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 500KB and
(
($dll_name and ($rtti_socket or $rtti_kernel)) or
($default_remark and $default_group) or
($c2_ip) or
($stage_path)
)
}
Recommendations
For network defenders:
- Block
137.220.153[.]175at the egress boundary (all ports, especially 886/tcp) - Block
103.115.56[.]66at the egress boundary - Sinkhole or block DNS resolution of
missallanahstarr[.]com - Alert on DNS queries to
a8.share-dns[.]comandb8.share-dns[.]net - Alert on outbound TCP to AS4907 (BGPNET PTE. LTD.) from endpoint segments
For endpoint defenders:
- Hunt for
MaxxAudioControl64.exerunning from any path outside the legitimate Dell Waves install directories (C:\Program Files\*Realtek*,C:\Program Files\*Waves*) - Hunt for file writes or staging under
C:\Users\Public\Documents\matching a 32-hex-character directory name - Hash-match the three file IOCs across EDR telemetry
- Treat DLL loads of
MaxxAudioAPOShell64.dllfrom user-writable paths as high-priority signal - Deploy the YARA rule above against mail-gateway and endpoint file scanning
For mail gateway / user-training teams:
- Japanese-language invoice emails referencing Rakuten and linking to non-
rakuten.co.jpdomains should be treated as high-suspicion - ZIP attachments containing a named-brand audio or driver EXE are an anomaly pattern worth flagging
Disclosure
No victim organizations are named in this report. Rakuten is referenced only as the impersonated brand — no Rakuten system or Rakuten customer was compromised in this campaign.
The appropriate abuse and CERT channels for this kind of campaign are JPCERT/CC (Japanese victim targeting), HKCERT (Hong Kong-hosted C2 and delivery), PacificDomains, LLC (domain registrar), BGPNET PTE. LTD. (AS4907, C2 host), and Cloudie Limited (AS55933, delivery host). Defenders handling this report are encouraged to file abuse notifications through those channels.
References
- Silver Fox Expands Winos 4.0 / ValleyRAT and HoldingHands RAT Cyber Attacks to Japan and Malaysia — Rescana
- Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT — The Hacker News
- Silver Fox's Dual-Pronged Strategy: Dissecting ValleyRAT Distribution — Dark Lab HK
- Thor vs. Silver Fox — Uncovering and Defeating a Sophisticated ValleyRAT Campaign — Nextron Systems
- ValleyRAT Campaign Targeting Chinese Speakers — FortiGuard Labs
- Silver Fox Uses Fake Microsoft Teams Installer for ValleyRAT — The Hacker News
- Fake Huorong Security Site Infects Users with ValleyRAT — Malwarebytes
- Waves MaxxAudio DLL Side-Loading LPE via Windows Registry — VerSprite VS-Labs
- ValleyRAT — Malpedia — Fraunhofer FKIE
- 2022 Adversary Infrastructure Report (BGPNET Global C2 hosting) — Recorded Future
Breakglass Intelligence — "One indicator. Total infrastructure."
Tip for this writeup came from a researcher who pulled the live config on 2026-04-16. If you have additional context on this campaign, the delivery domain, or the BGPNET-hosted C2 — or if we have missed prior art — reply or DM us on X. We will update this post with proper credit.