Silver Fox Hits Japan: ValleyRAT via Rakuten Invoice Lure with Dell MaxxAudio DLL Sideloading
A live malware config pull reveals a Chinese APT's expansion into the Japanese market with classic Gh0st RAT defaults and a well-documented sideloading vector
When a researcher flagged a live malware config pull on April 16, 2026, pointing to a C2 server at 137[.]220[.]153[.]175:886, we pulled the thread. The config contained Chinese-language default strings, the payload was delivered from a domain registered with a 163[.]com email address and a fabricated Japanese address listing "Kyoto, Saitama" — two different prefectures — and the delivery mechanism used a legitimate Dell/Waves Audio binary to sideload a malicious DLL. Within hours, we had mapped the full infection chain: a Japanese-language Rakuten invoice phishing campaign delivering ValleyRAT through DLL sideloading, with infrastructure spanning two Hong Kong hosting providers and tradecraft signatures pointing directly at Silver Fox APT.
Silver Fox — also tracked as Void Arachne (Trend Micro), CL-STA-0048 (Palo Alto Unit 42), and UTG-Q-1000 (Chinese industry) — is a Chinese threat actor group primarily known for deploying ValleyRAT, a Gh0st RAT derivative also classified as Winos 4.0. While Silver Fox historically targeted Chinese-speaking victims through fake software installers and SEO poisoning, multiple vendors documented their expansion into Japan, Malaysia, and Southeast Asia beginning in December 2025. This campaign represents a continuation of that expansion, with a well-crafted Rakuten invoice lure specifically designed for Japanese victims.
Attribution confidence is HIGH (95/100). The combination of MaxxAudio DLL sideloading (a documented Silver Fox TTP), Chinese-default config strings, BGPNET C2 hosting, 163[.]com registrant email, and Japan-targeting lure content produces a strong attribution signal that aligns with multiple independent vendor reports on Silver Fox's 2026 operational tempo.
Table of Contents
- Infection Chain
- IOC Table
- Pivot Chains and Evidence
- DLL Sideloading Mechanism
- ValleyRAT / Winos 4.0 Characteristics
- Attribution Analysis
- MITRE ATT&CK Mapping
- Recommendations
- References
Infection Chain
1. LURE: Japanese-language Rakuten invoice email
└── Legitimate rakuten.co.jp link (brand abuse, not IOC)
└── Delivery link → hxxp://missallanahstarr[.]com/
2. DELIVERY: missallanahstarr[.]com serves Electronic12862330415.zip
└── 103[.]115[.]56[.]66 (AS55933 Cloudie Limited, Hong Kong)
3. EXECUTION: Victim extracts ZIP, runs MaxxAudioControl64.exe
└── Legitimate Dell/Waves Audio signed PE32+ binary (3.2 MB)
└── Binary expects MaxxAudioAPOShell64.dll in same directory
4. SIDELOAD: MaxxAudioControl64.exe loads MaxxAudioAPOShell64.dll
└── DLL search order hijacking (T1574.001/T1574.002)
└── Malicious DLL (104 KB) loads encrypted payload
└── Config path: C:\Users\Public\Documents\94a3c123872341ef93a035e8534a1b8a
5. C2 BEACON: Payload connects to 137[.]220[.]153[.]175:886
└── Custom binary protocol (not standard TLS/HTTPS)
└── Campaign_ID: 默认备注 ("default remark")
└── Operator_ID: 默认分组 ("default group")
IOC Table
Network Indicators
| IOC | Type | Context |
|---|---|---|
137[.]220[.]153[.]175 | IPv4 | C2 server, port 886 |
| 886/tcp | Port | C2 beacon port |
missallanahstarr[.]com | Domain | Payload delivery / email link |
103[.]115[.]56[.]66 | IPv4 | missallanahstarr[.]com resolution |
a8.share-dns.com | NS | Nameserver for delivery domain |
b8.share-dns.net | NS | Nameserver for delivery domain |
Infrastructure Details
| Property | C2 (137[.]220[.]153[.]175) | Delivery (103[.]115[.]56[.]66) |
|---|---|---|
| ASN | AS4907 BGPNET PTE. LTD. | AS55933 Cloudie Limited |
| Location | Hong Kong | Hong Kong |
| Hostname | — | unknown.itsidc[.]com |
| Notes | BGPNET Global (AS64050) was previously top-10 C2 hosting provider (Recorded Future 2022) | Cloudie Limited / ITSIDC infrastructure |
WHOIS — missallanahstarr[.]com
| Field | Value | Assessment |
|---|---|---|
| Registrar | PacificDomains, LLC | — |
| Registrant Name | hei fei zhe ye | Likely fabricated Japanese-style name |
| Registrant Address | Kyoto, Saitama, JP | Suspicious: Kyoto and Saitama are different prefectures |
| Registrant Email | lugai665@163[.]com | 163.com = NetEase (Chinese email provider) |
| Registrant Phone | +81.713546623 | JP country code but format is suspect |
| Created | 2025-06-12 | ~10 months before campaign |
| Updated | 2026-04-15 | Day before campaign launch |
| Expires | 2026-06-12 | Short registration window |
| Nameservers | a8.share-dns.com, b8.share-dns.net | Shared DNS infrastructure |
File Indicators
| Filename | Type | Size | MD5 | SHA-256 |
|---|---|---|---|---|
| Electronic12862330415.zip | ZIP archive | 1,441,333 B | 0fbd311b2551001f2bb3af8aefc0b69d | f0fc5a9aead0bed9f97e4a007bf712aef4ab95e1abaf6150fee7f51602d57347 |
| MaxxAudioControl64.exe | PE32+ GUI | 3,209,000 B | 40d4cff737d4cdf0f272ff5c4013de05 | 610d48ae96a2494ebfd760d4ff6647bb95f57fac92f4bc8513329f1337d6c7f2 |
| MaxxAudioAPOShell64.dll | PE32+ DLL | 104,448 B | 42ec4254a8a6255fd8a18de89d9cb42d | 17d6415df0d336e255df7689ae90039e48fd6e95d43fbbc34d5b4875ea9af47d |
Malware Config Strings
| Field | Hex Value | Decoded (UTF-8) | Meaning |
|---|---|---|---|
| Campaign_ID | \xe9\xbb\x98\xe8\xae\xa4\xe5\xa4\x87\xe6\xb3\xa8 | 默认备注 | "default remark" — stock Gh0st/ValleyRAT panel default |
| Operator_ID | \xe9\xbb\x98\xe8\xae\xa4\xe5\x88\x86\xe7\xbb\x84 | 默认分组 | "default group" — stock Gh0st/ValleyRAT panel default |
| Config Path | C:\Users\Public\Documents\94a3c123872341ef93a035e8534a1b8a | — | On-disk staging directory (GUID-style) |
Lure Details
| Property | Value |
|---|---|
| Language | Japanese |
| Impersonated Brand | Rakuten (rakuten.co.jp — legitimate, not an IOC) |
| Invoice Number | GH-58420391 |
| Amount | 12,000 yen (tax included) |
| Date | April 16, 2026 |
Pivot Chains and Evidence
Pivot 1: C2 IP to Hosting Infrastructure
137[.]220[.]153[.]175:886
└── AS4907 BGPNET PTE. LTD. (Hong Kong)
└── Related entity: BGPNET Global (AS64050)
└── Previously ranked top-10 C2 hosting provider (Recorded Future 2022 Adversary Infrastructure Report)
└── Dropped from top-10 after decrease from 181→147 active C2s
Assessment: BGPNET infrastructure has a documented history of hosting C2 servers. The use of non-standard port 886 is consistent with ValleyRAT's pattern of varied high-port C2 configurations.
Pivot 2: Delivery Domain to Chinese Actor Infrastructure
missallanahstarr[.]com
├── Resolves → 103[.]115[.]56[.]66 (AS55933 Cloudie Limited, Hong Kong)
│ └── hostname: unknown.itsidc[.]com (ITSIDC infrastructure)
├── WHOIS email: lugai665@163[.]com (NetEase — Chinese email provider)
├── WHOIS address: "Kyoto, Saitama, JP" (contradictory prefectures = fabricated)
├── Updated: 2026-04-15 (day before campaign)
└── NS: share-dns.com / share-dns.net
Assessment: The 163[.]com registrant email is a strong indicator of Chinese-origin actor. The contradictory "Kyoto, Saitama" address is fabricated to appear Japanese. Both the C2 and delivery infrastructure are hosted in Hong Kong, consistent with Silver Fox's known infrastructure preferences.
Pivot 3: DLL Sideloading to ValleyRAT Tradecraft
MaxxAudioControl64.exe (legitimate Dell/Waves Audio binary)
└── Sideloads MaxxAudioAPOShell64.dll (malicious)
└── Exploits LoadLibraryA via DLL search order hijacking
└── MaxxAudioAPOShell64.dll vulnerability documented by VerSprite
└── Registry ExternalModule key → LoadLibraryA with attacker-controlled path
└── Loads encrypted payload → beacons to 137[.]220[.]153[.]175:886
Assessment: Dell MaxxAudio DLL sideloading is a documented Silver Fox TTP. The VerSprite research (VS-Labs) confirmed that MaxxAudioAPOShell64.dll is vulnerable to sideloading via the ExternalModule registry key and LoadLibraryA calls. Silver Fox has used multiple legitimate signed binaries for sideloading including SodaMusicLauncher.exe (ByteDance), WavesSvc64.exe, NtHandleCallback.exe, and edr09.exe.
Pivot 4: Config Strings to Gh0st RAT Family Attribution
Campaign_ID: 默认备注 ("default remark")
Operator_ID: 默认分组 ("default group")
└── These are the STOCK DEFAULT strings in:
├── Gh0st RAT panel builders
├── ValleyRAT / Winos 4.0 panels
├── Sainbox RAT panels
└── Farfli RAT panels
└── Indicates: operator used panel defaults without customization
└── Possible new operator, or deliberate opsec (no identifying campaign name)
Assessment: The presence of unmodified Chinese-language default strings confirms this is a Chinese-market RAT builder. Combined with the DLL sideloading vector and C2 characteristics, ValleyRAT (Winos 4.0) is the most likely family.
DLL Sideloading Mechanism
The attack exploits a documented vulnerability in Dell/Waves Audio's MaxxAudio software:
MaxxAudioControl64.exeis a legitimate, signed Waves Audio binary- On startup, it loads
MaxxAudioAPOShell64.dllfrom its working directory - The DLL uses
LoadLibraryAand queries theExternalModuleregistry key - VerSprite (VS-Labs) documented that improper permissions on this registry key allow any user-level process to redirect DLL loading
- The attacker places their malicious DLL alongside the legitimate EXE in the ZIP
- When the victim runs the EXE, Windows DLL search order loads the malicious DLL first
ValleyRAT / Winos 4.0 Characteristics
Based on published research on ValleyRAT:
- Architecture: C++ plugin-based RAT built on Gh0st RAT framework
- Config Storage: Registry keys (commonly
HKCU\Software\Console\orHKCU\SOFTWARE\IpDates_info) - Encryption: AES-256 with hardcoded key + XOR encoding (single-byte or derived key)
- C2 Protocol: Custom binary protocol over TCP (not standard HTTP/S)
- Evasion: Sleep obfuscation (memory protection cycling), VM/sandbox detection, AV process termination
- Persistence: Scheduled tasks, registry run keys, DLL search order hijacking
- Anti-Analysis: Checks for <30 files in %TEMP%, enumerates VMware/VirtualBox services
Attribution Analysis
Silver Fox APT — HIGH CONFIDENCE
| Evidence | Weight | Notes |
|---|---|---|
| ValleyRAT (Winos 4.0) malware family | Strong | Silver Fox's primary tool, Gh0st RAT derivative |
| DLL sideloading via MaxxAudio | Strong | Documented Silver Fox TTP |
| Chinese-default config strings | Strong | Stock Gh0st/ValleyRAT panel defaults |
| 163[.]com registrant email | Moderate | Chinese email provider, consistent with Chinese-origin actor |
| Fabricated Japanese WHOIS with contradictory prefectures | Moderate | Lure targeting Japan, registration spoofed to appear Japanese |
| C2 on BGPNET (AS4907, Hong Kong) | Moderate | BGPNET previously top-10 C2 hosting provider |
| Port 886 C2 | Moderate | Non-standard port consistent with ValleyRAT patterns |
| Japanese-language Rakuten lure | Strong | Silver Fox confirmed targeting Japan since Dec 2025 |
| Both C2 and delivery hosted in Hong Kong | Moderate | Consistent with Silver Fox infrastructure preferences |
Alternative Hypotheses Considered
| Hypothesis | Assessment |
|---|---|
| Sainbox RAT (different actor) | Unlikely — Sainbox uses similar defaults but different delivery patterns; MaxxAudio sideloading is Silver Fox signature |
| Generic Gh0st RAT operator | Possible but unlikely — the combination of MaxxAudio sideloading + Japan targeting + infrastructure pattern is distinctly Silver Fox |
| Winnti Group overlap | Noted — Silver Fox has documented overlaps with Winnti/APT41 tooling, but this campaign's tradecraft is more consistent with Silver Fox's commercial fraud operations than Winnti's espionage focus |
Threat Actor Naming Concordance
| Vendor | Name |
|---|---|
| General | Silver Fox |
| Trend Micro | Void Arachne |
| Palo Alto Unit 42 | CL-STA-0048 |
| Chinese industry | UTG-Q-1000 |
| Malpedia | win.valley_rat |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Japanese-language Rakuten invoice lure with link to missallanahstarr[.]com |
| Execution | User Execution: Malicious File | T1204.002 | Victim extracts and runs MaxxAudioControl64.exe from ZIP |
| Persistence | DLL Search Order Hijacking | T1574.001 | MaxxAudioAPOShell64.dll sideloaded by legitimate MaxxAudio binary |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | Malicious DLL named to match legitimate Dell/Waves Audio component |
| Defense Evasion | DLL Side-Loading | T1574.002 | MaxxAudioControl64.exe loads attacker DLL via search order |
| Defense Evasion | Obfuscated Files or Information | T1027 | Encrypted payload, XOR/AES config encoding (ValleyRAT standard) |
| Defense Evasion | Signed Binary Proxy Execution | T1218 | Legitimate signed Dell/Waves binary used to proxy malicious code |
| Command and Control | Non-Standard Port | T1571 | C2 on TCP port 886 |
| Command and Control | Application Layer Protocol | T1071 | Custom binary protocol to 137[.]220[.]153[.]175:886 |
| Collection | Archive Collected Data | T1560 | Payload delivered as ZIP archive |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | missallanahstarr[.]com registered with fabricated WHOIS |
| Resource Development | Acquire Infrastructure: Server | T1583.004 | C2 hosted on BGPNET (AS4907), delivery on Cloudie (AS55933) |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 | ZIP payload staged on missallanahstarr[.]com |
Recommendations
Immediate Actions
- Block IOCs at network boundary:
- Block
137[.]220[.]153[.]175(all ports, especially 886/tcp) - Block
103[.]115[.]56[.]66 - Block DNS resolution of
missallanahstarr[.]com - Block
a8.share-dns.comandb8.share-dns.netat DNS level
- Block
- Hunt for compromise indicators:
- Search for connections to
137.220.153.175:886in netflow/proxy logs - Search for
MaxxAudioControl64.exerunning from non-standard paths (outsideC:\Program Files\Realtek\Audio\HDA\) - Search for
C:\Users\Public\Documents\94a3c123872341ef93a035e8534a1b8aon endpoints - Hash-match the file IOCs across EDR telemetry
- Search for connections to
- Notify hosting providers:
- BGPNET PTE. LTD. (AS4907) — C2 abuse at 137[.]220[.]153[.]175
- Cloudie Limited (AS55933) — malware delivery at 103[.]115[.]56[.]66
- PacificDomains, LLC — domain missallanahstarr[.]com used for malware delivery
CERT Notifications
| CERT | Reason | Priority |
|---|---|---|
| JPCERT/CC | Japanese-language Rakuten lure targeting Japanese victims; registrant has JP phone number and address | HIGH |
| SingCERT | BGPNET PTE. LTD. is Singapore-incorporated | MEDIUM |
| HKCERT | Both C2 and delivery infrastructure hosted in Hong Kong | MEDIUM |
References
- Silver Fox APT Uses DLL Sideloading and BYOVD Techniques — CyberSecurityNews
- Thor vs. Silver Fox — Uncovering ValleyRat Campaign — Nextron Systems
- Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT — The Hacker News
- Silver Fox's Dual-Pronged Strategy: Dissecting ValleyRAT — Dark Lab HK
- Silver Fox Expands Winos 4.0 to Japan and Malaysia — Rescana
- ValleyRAT Campaign Targeting Chinese Speakers — FortiGuard Labs
- Silver Fox Uses Fake Microsoft Teams Installer for ValleyRAT — The Hacker News
- Fake Huorong Security Site Infects Users with ValleyRAT — Malwarebytes
- Waves MaxxAudio DLL Side-Loading LPE via Windows Registry — VerSprite VS-Labs
- ValleyRAT — Malpedia — Fraunhofer FKIE
- 2022 Adversary Infrastructure Report — Recorded Future (BGPNET Global AS64050 in top-10 C2 hosting)
Need help hunting for Silver Fox / ValleyRAT in your environment? Breakglass Intelligence provides threat hunting, IOC operationalization, and incident response support. Visit consulting.breakglass.tech to learn more.