30 Samples in 10 Days: SilverFox Weaponizes Scam Compound Fear and a Phone Farm Business Front to Target Chinese Diaspora
ValleyRAT + Gh0stRAT + RustyStealer under one umbrella — 75 C2 endpoints, ios163.com phone farm cover, registrant Peng Benbo identified
A Chinese man is beaten in a Myanmar scam compound for failing to meet his fraud quota. His hands are bound. A crowd watches. The video title promises the footage. The file is an .exe.
This is SilverFox in April 2026 -- and if you've been following our coverage of this threat actor, you already know the playbook has evolved again. What started as trojanized GFW bypass tools and fake HR documents in early March, then escalated to ChaCha20-encrypted VM RATs masquerading as Trend Micro a week later, has now metastasized into a sustained industrial-scale operation: 30+ samples in 10 days, three distinct malware families, 75 C2 endpoints across 17 domains, and infrastructure spanning Amazon AWS Hong Kong, Tencent Cloud, Alibaba, Huawei, and at least five other hosting providers.
The lures are designed for one audience: Chinese-speaking individuals, many of them likely diaspora. The themes exploit two of the most potent emotional triggers available -- fear of professional ruin and fear of physical violence in overseas scam compounds. The operator behind this campaign is not experimenting. They are running a production line.
The Cluster: Four Samples, Three Families, One Operation
On April 1, 2026, between 01:07 and 02:45 UTC, four samples tagged SilverFox appeared on MalwareBazaar from Japan. The reporter -- CNGaoLing, who has been the primary source for SilverFox sample submissions throughout March -- uploaded them in quick succession. Each sample deploys a different malware family, but all four share infrastructure patterns, obfuscation tooling, and targeting that places them firmly within the same operational umbrella.
| # | Family | Size | Filename | What It Pretends to Be |
|---|---|---|---|---|
| 1 | ValleyRAT | 3.4 MB | 2026年第二季度违规内职人员名单信息.exe | Q2 2026 Employee Violation List |
| 2 | ValleyRAT | 3.5 MB | 2026年第一季度内职人员违纪名单信息.exe | Q1 2026 Disciplinary Personnel List |
| 3 | Gh0stRAT | 484 KB | r6mrA.exe | (No social engineering -- stage-2 payload) |
| 4 | RustyStealer | 11.7 MB | 三佛塔黑园区内一名中国男子未达成业绩双手被捆殴打示众!.exe | "Chinese man beaten for not meeting quota" |
Three malware families. Two social engineering themes. One actor. Let's take them apart.
The Fear Factory: How SilverFox Weaponizes Chinese Anxiety
The lure filenames are not random. They are precision-engineered psychological operations targeting specific anxieties within Chinese-speaking populations.
Theme 1: The Disciplinary List
Samples 1 and 2 are disguised as quarterly employee violation and disciplinary lists. The filenames -- "2026年第二季度违规内职人员名单信息" and "2026年第一季度内职人员违纪名单信息" -- translate to "Q2 2026 Internal Employee Violation Name List" and "Q1 2026 Internal Disciplinary Personnel Name List."
We have documented this lure theme across every SilverFox wave since March. It works because in Chinese corporate and government environments, appearing on a disciplinary list is a career-defining event. The instinct is not to verify the sender. The instinct is to open the file immediately and find out if your name is on it. Sample 1 adds a subtlety -- wide-spaced characters in the filename to defeat basic string-matching filters.
Theme 2: The Scam Compound
Sample 4 plays on a different fear entirely. Its filename translates to: "A Chinese man in the San Fo Ta dark zone was beaten with his hands bound for failing to meet his quota!"
This exploits the very real and very publicized crisis of Chinese nationals being trafficked to forced-labor scam compounds in Myanmar, Cambodia, and Laos. The topic dominates Chinese-language social media. WeChat groups circulate rescue stories. News outlets run exposés. Fear of these compounds is so pervasive that it has become a cultural anxiety affecting not just potential victims but the entire Chinese diaspora -- families worry about relatives overseas, workers worry about suspicious job offers, and everyone clicks on content promising to show what happens inside the compounds.
SilverFox took that fear and turned it into a 11.7 MB executable.
The Broader Lure Library
These four samples are only the latest in a campaign that has been running at scale since at least March 22. Across the past 10 days, MalwareBazaar SilverFox submissions from the same reporter reveal an astonishing diversity of lure themes:
- Layoff notices: "裁员名单及补偿方案" (Layoff list and compensation plan)
- Chat log leaks: "1.5亿美切客聊天记录" (150 million USD chat logs)
- Trojanized Doubao AI: ByteDance's Doubao AI assistant, repackaged as
doubao2026.zip.exe - Fake Telegram installer:
Telegram.exe - Game cheats: "三角洲接触高危神器测试版" (Delta Force cheat tool beta)
- Cloudflare tunnel installer: Legitimate tool name, malicious payload
- Oray remote desktop: Chinese remote access tool, trojanized
- "Unban software": "解封软件" -- promises to unban banned accounts
Every single lure targets Chinese speakers. Every single one exploits a specific behavior pattern -- professional fear, curiosity, gaming culture, or the desire for free tools. This is not an actor throwing malware at a wall. This is a targeted content operation with a victim profile.
The Arsenal: Three Families, One Toolkit
Samples 1 & 2: ValleyRAT (Qt + Go Hybrid)
The ValleyRAT samples are the workhorses of this campaign. Both are PE32+ executables built on the Qt 5 framework with an embedded Go runtime -- an unusual hybrid that gives the operator the cross-platform UI capabilities of Qt with the networking flexibility of Go.
Both samples are protected by win64_protection, a commercial control flow flattening obfuscator. This is not custom obfuscation -- it is a paid product. The RTTI class name control_flow_flattener@win64_protection is embedded in the binary, confirming the tool. We have now seen win64_protection across multiple SilverFox waves, making it a reliable clustering indicator for this actor.
The anti-analysis suite is consistent across both samples:
NtQueryInformationProcessfor debugger detectionNtRemoveProcessDebugto detach debuggers at runtimeDbgUiSetThreadDebugObjectto corrupt debug state- Mutex creation for single-instance enforcement
Sample 2 goes further, importing WriteProcessMemory and VirtualAllocEx -- the classic process injection pair -- and embedding four high-entropy encrypted resources that are likely second-stage payloads. The Go runtime component handles network operations, while Qt provides the framework for the dropper shell. The version info fields in both samples contain randomized garbage strings ("KrGQrMWIYYBu", "QUuGdbsRjD") -- a characteristic SilverFox fingerprint that we have observed consistently across the campaign and that aids in clustering samples even when hashes rotate.
C2 addresses are encrypted within the binary and not extractable through static analysis alone. But we don't need static extraction -- the infrastructure is mapped through other means.
Sample 3: Gh0stRAT Variant
The smallest sample in the cluster at 484 KB, this is a Gh0stRAT variant compiled with MSVC. Its compilation timestamp -- October 10, 2025 -- places it five months older than the other samples, indicating the operator is reusing proven tooling rather than building everything fresh.
It shares the same obfuscation stack as the ValleyRAT samples: win64_protection control flow flattening, NtQueryInformationProcess, NtRemoveProcessDebug, DbgUiSetThreadDebugObject. But it adds a layer: two TLS callbacks that execute before main() enters, performing anti-debug checks and potentially unpacking code before the entry point is reached. The 24 KB TLS section shows 0% entropy -- a hallmark of deferred decryption where the actual payload is reconstructed only at runtime.
Additional capabilities include CreateProcessAsUserW for launching processes under different user tokens, CreateWellKnownSid for token manipulation, and CreateToolhelp32Snapshot for process enumeration. This is a RAT designed for post-exploitation lateral movement, not initial access -- it is the tool that gets deployed after ValleyRAT establishes the foothold.
Gh0stRAT itself is one of the oldest Chinese-origin RATs still in active circulation, first appearing publicly around 2008. Its continued evolution under the SilverFox umbrella demonstrates how mature malware codebases can remain operationally relevant through sustained investment in obfuscation and capability updates.
Sample 4: RustyStealer
The largest sample at 11.7 MB, and the most technically interesting. This is a Rust-compiled launcher carrying a 5.5 MB AES-encrypted payload that represents approximately 47% of the total file size.
The PDB path is launcher.pdb -- minimal, but paired with the Rust cargo path C:\Users\dev\.cargo\, it confirms a Windows development environment with the generic username "dev." This is the same developer fingerprinting pattern we see across threat actors who use shared development machines or VMs provisioned specifically for malware compilation.
The encryption on the embedded payload is serious. Entropy analysis shows a perfectly flat byte distribution at 8.00 -- the theoretical maximum for random data, confirming strong encryption (AES) rather than simple encoding. Key material is generated via BCryptGenRandom, the Windows cryptographic PRNG, with the base64-0.21.7 crate handling encoding and anyhow-1.0.100 for error management.
But the most operationally significant feature is the persistence disguise system. RustyStealer selects from a pool of 20 legitimate-sounding executable names when writing itself to %ProgramData%:
SystemLauncher.exe FileManager.exe CloudAssistant.exe
DataExplorer.exe ImageViewer.exe ResourceMonitor.exe
AutoUpdater.exe DiskOptimizer.exe SecurityScanner.exe
PowerUtility.exe TaskHelper.exe DevToolkit.exe
AdminConsole.exe EventHandler.exe MediaProcessor.exe
JobScheduler.exe AppInstaller.exe PrivacyGuardian.exe
DesktopCompanion.exe ServiceController.exe
Any one of these filenames in C:\ProgramData\ would look perfectly normal during a casual forensic review. "SecurityScanner.exe"? Probably an AV component. "AutoUpdater.exe"? Standard software maintenance. "CloudAssistant.exe"? Some cloud sync tool. The randomization means no two infections will necessarily use the same filename, defeating signature-based detection that keys on specific persistence paths.
75 C2 Endpoints Across 17 Domains
The infrastructure behind this campaign is massive and deliberately distributed across providers that are unlikely to coordinate on abuse reports.
The Cloud Provider Spread
| Provider | ASN | Region | C2 Count | Notes |
|---|---|---|---|---|
| Amazon AWS | AS16509 | Hong Kong | 4 | 43.198.x.x, 43.199.x.x, 16.163.x.x |
| Tencent Cloud | AS132203 | China | 3 | 119.28.x.x, 124.156.x.x |
| Antbox Networks | AS138995 | Hong Kong | 3 | 108.187.x.x, 192.238.x.x |
| Tcloudnet | AS399077 | US | 2 | 206.238.180.x |
| Alibaba Cloud | AS45102 | China | 2 | 47.76.x.x, 8.210.x.x |
| Huawei Cloud | AS55990 | China | 1 | 113.44.x.x |
| AROSSCLOUD | AS400619 | US/HK | 2 | 103.215.x.x, 183.90.x.x |
| CTG Server Limited | AS152194 | Hong Kong | 1 | 27.124.42.x |
| N963 PTE LTD | AS963 | Singapore | 1 | 180.178.56.x |
The geographic pattern is clear: Hong Kong as the primary C2 hub, mainland China for secondary infrastructure, and scattered nodes in Singapore and the US for redundancy. AWS Hong Kong is the single largest hosting provider in the cluster -- four C2 IPs in the ap-east-1 region, a choice that puts the infrastructure physically close to both mainland China and Southeast Asian targets while operating under Amazon's jurisdiction.
The Tcloudnet subnet is particularly notable: three distinct C2 addresses in the same /24 block (206.238.180.6, 206.238.180.176, 206.238.180.192, 206.238.180.233), all operating on port 6666 except the first on 5555. This suggests a bulk provisioning pattern -- the operator purchased a block and deployed C2 listeners across it.
The Domain Infrastructure
| Domain | Registrar | Created | IP | Status |
|---|---|---|---|---|
| qyttqxsdf[.]cn | 22.cn | ~2026-01 | 43.198.29.200 | LIVE |
| ios163[.]com | NameSilo | 2025-02-19 | 193.42.24.214 | LIVE |
| qn666[.]us | NameSilo | 2025-08-21 | 193.42.24.214 | LIVE |
| yunduans[.]com | Gname.com | 2026-02-01 | 185.106.179.30 | LIVE |
| ggkbnotnox[.]cn | -- | -- | 43.199.181.98 | LIVE |
| cfngrohokspd[.]cn | -- | -- | 43.199.16.35 | LIVE |
| zoomqwer[.]com | Onamae.com (JP) | 2026-02-11 | 45.202.1.36 | LIVE |
| aaavugcuvkjbibihb[.]cc | -- | -- | 16.163.105.153 | LIVE |
| jjvbubodsfds[.]cn | -- | -- | 43.199.181.98 | LIVE |
Two shared-IP clusters stand out immediately:
- ios163[.]com and qn666[.]us both resolve to
193.42.24.214, both registered through NameSilo - ggkbnotnox[.]cn and jjvbubodsfds[.]cn both resolve to
43.199.181.98(AWS Hong Kong)
The registrar clustering is a strong operational fingerprint. Gname.com -- a Singapore-based registrar that we flagged in our March 10 ValleyRAT investigation as a recurring choice for SilverFox infrastructure -- appears again. NameSilo is the other preferred registrar. Combined with Chinese-specific registrar 22.cn for the .cn domains, this three-registrar pattern has now been consistent across every SilverFox infrastructure cluster we've tracked.
The Phone Farm: ios163.com and the Business Behind the Malware
The most striking infrastructure finding is not a C2 server. It is a business.
The primary C2 domain ios163[.]com resolves to 193.42.24.214, where port 80 hosts a fully functional Chinese-language website titled "跨屏中控平台 [AI] 2.0" -- "Cross-Screen Control Center [AI] 2.0." This is a phone farm control platform advertising:
- IOS群控 -- iOS mass device control
- 手机群控 -- Phone mass control
- 跨屏中控 -- Cross-screen central control
- AI自动化 -- AI automation
The site carries verification tags for Baidu, Bing, and Google -- active SEO efforts to attract customers. The page dates to November 2025. This is not a hastily thrown-up cover page. This is a business that has been operating for months.
The server stack tells its own story:
- Port 21: FTP
- Port 80: nginx (phone farm platform)
- Port 443: Let's Encrypt TLS for ios163[.]com
- Port 3306: MySQL 5.5.62-log -- end of life, exposed to the internet
- Port 8816: nginx (BaoTa default page, dated January 2025)
- Port 8888: BaoTa Panel (Chinese server management panel)
BaoTa (宝塔面板) is the most popular server management panel in China. Its presence confirms a Chinese-operated server. The exposed MySQL 5.5.62 instance is an OPSEC failure and a vulnerability -- MySQL 5.5 reached end of life in December 2018.
The operational pattern here is one we've seen repeatedly in Chinese cybercrime: a legitimate or semi-legitimate technology business providing cover for malware operations. Phone farm control platforms are legal gray areas -- used for social media manipulation, app store review farming, and mass account registration. Running ValleyRAT C2 infrastructure on the same server blurs the line between the business traffic and the malware traffic. Any analyst looking at connections to ios163[.]com would see what appears to be a phone farm management service, not a RAT command-and-control server.
The domain qn666[.]us shares the same IP, and its subdomain cvv[.]qn666[.]us is particularly suggestive -- "CVV" is industry shorthand for payment card verification values, a term that appears almost exclusively in the context of financial fraud.
The Developer: Peng Benbo (彭本波)
The WHOIS record for qyttqxsdf[.]cn was not privacy-protected.
- Registrant: Peng Benbo (彭本波)
- Email: di823748@163[.]com
- Registrar: 22.cn (杭州电商互联科技有限公司 -- Hangzhou E-Commerce Internet Technology Co., Ltd.)
163.com is NetEase's email service -- one of the largest email providers in China. The registration was made through a Chinese registrar with Chinese-language WHOIS data. This is either the operator's real identity or a carefully constructed Chinese persona -- but the use of a .cn registrar that requires Chinese identity verification makes it more likely that there is a real individual behind this name.
The RustyStealer build path adds another piece: C:\Users\dev\.cargo\ confirms a Windows machine with the username "dev" -- almost certainly a dedicated build VM. The generic username suggests operational awareness (no one names their build machine with their real name), but the PDB path launcher.pdb was left in the binary, and the .cargo path confirms the Rust development environment was not sanitized before compilation.
Campaign Timeline: 10 Days of Sustained Operations
| Date | Event | Notable Samples |
|---|---|---|
| Mar 16 | First ValleyRAT C2s reported to ThreatFox | Multiple IPs |
| Mar 22 | Document-themed lures begin | 77979.exe, MSI sideloading |
| Mar 23 | Layoff panic lures | 裁员名单及补偿方案 |
| Mar 24 | Trojanized legitimate tools | cloudflared_installer.exe |
| Mar 25 | Account recovery lures | 解封软件.exe |
| Mar 26 | Messaging app impersonation | Telegram.exe |
| Mar 27 | AI application lures | doubao.exe, doubao2026.zip.exe |
| Mar 29 | DLL sideloading technique | avutil-56.dll |
| Mar 30 | Reused Q2 violation lure | Same filename recycled |
| Mar 31 | Large dropper deployment | 20 MB Files.exe |
| Apr 1 | This cluster | 4 samples, 3 families, 01:07-02:45 UTC |
The pace is remarkable. A new lure theme or technique variant every one to two days. The Doubao AI lure on March 27 is particularly noteworthy -- ByteDance's Doubao is one of the most popular AI assistants in China, and trojanizing it as doubao2026.zip.exe represents opportunistic exploitation of the AI adoption wave sweeping Chinese-speaking populations. Similarly, the fake Telegram installer on March 26 targets a specific behavior: Chinese users outside the Great Firewall increasingly rely on Telegram for uncensored communication, making a convincing Telegram installer an effective delivery mechanism.
The SilverFox Arsenal: A Continuing Escalation
This is the fourth SilverFox campaign we have documented on Breakglass Intelligence since March 2026. The progression tells a story:
| Wave | Date | Primary Family | Obfuscation | C2 Transport | Scale |
|---|---|---|---|---|---|
| Wave 1 | Mar 10 | ValleyRAT | XOR 0x44 | KCP UDP | 22 C2 IPs, 5 domains |
| Wave 2 | Mar 14 | ValleyRAT/Winos4.0 | XOR + MPRESS | KCP, Winos binary proto | 5 samples |
| Wave 3 | Mar 16 | Custom VM RAT | ChaCha20 + custom VM | MSRPC | 1 sample, high sophistication |
| Wave 4 | Apr 1 | ValleyRAT + Gh0stRAT + RustyStealer | Commercial CFG flattener | Multi-protocol | 30+ samples, 75 C2s, 17 domains |
The escalation from 22 C2 IPs in Wave 1 to 75 C2 endpoints in Wave 4 represents a threefold infrastructure expansion in three weeks. The introduction of RustyStealer -- compiled in Rust with AES encryption and a 20-name persistence disguise system -- shows active development investment. The simultaneous deployment of three malware families (ValleyRAT for access, Gh0stRAT for persistence, RustyStealer for credential theft) represents a mature operational model where different tools serve different functions in the kill chain.
The common thread across all four waves: win64_protection commercial obfuscation, Chinese-language lures targeting Chinese-speaking individuals, and the Gname.com/NameSilo registrar fingerprint. These are not coincidences. This is one operation.
Attribution
Confidence: HIGH -- Chinese-nexus threat actor
The evidence is cumulative and consistent:
- Every lure filename is in Simplified Chinese targeting Chinese speakers
- The registered domain qyttqxsdf[.]cn uses Chinese WHOIS data (Peng Benbo, 163.com email) through a Chinese registrar (22.cn) that requires identity verification
- Infrastructure is hosted primarily on Chinese cloud providers (Tencent, Alibaba, Huawei) and in Hong Kong
- The ios163[.]com phone farm platform is entirely Chinese-language, uses BaoTa panel, and targets the Chinese phone farm market
- SilverFox/ValleyRAT has been consistently attributed to Chinese cybercrime operations by multiple security vendors
- Lure themes (scam compound fear, corporate disciplinary lists, Doubao AI, GFW bypass tools) are specific to Chinese cultural and regulatory context
The targeting of Chinese-speaking individuals -- including those outside China -- raises the question of whether this is pure cybercrime or whether it serves a dual intelligence-collection purpose. The scam compound lures specifically target diaspora communities. The corporate disciplinary lures target employees of Chinese organizations. The Telegram lure targets individuals seeking uncensored communications. Whether the motivation is credential theft, espionage, or both, the victim population is deliberately constrained.
Indicators of Compromise
File Hashes (SHA256)
c709ed855b596e46c4df8eb3ff6d50ca55869ae9deb59e04a49fd2df31f77c71 ValleyRAT (Q2 violation list)
7f707cb02409b31b80cf4428fbc882cde513e20d105391b8cec298940579e23b ValleyRAT (Q1 disciplinary list)
a1a0f35f0ac483a6c5649f6fa338952c2d2c457d2cb1b2fcef16bdc96fdfdb8b Gh0stRAT variant
74edf6950c62bc4cfbaeb1a101316f231ca010cc9777d2e42d46a174cbdac598 RustyStealer launcher
Import Hashes
61b4bdff5a843253fda17e1b05c1163d Sample 1 (ValleyRAT)
9248b3c5b16c1df2706eb88158973504 Sample 2 (ValleyRAT)
7a15cf80d129fadedf5f35c9333315ba Sample 3 (Gh0stRAT)
60c512b6ba9defda3d35824d56a5ffa5 Sample 4 (RustyStealer)
C2 Domains
qyttqxsdf[.]cn
ios163[.]com
qn[.]ios163[.]com
qn666[.]us
cvv[.]qn666[.]us
hu[.]yunduans[.]com
ggkbnotnox[.]cn
cfngrohokspd[.]cn
a24[.]auaadd1[.]vip
a24[.]auaacc2[.]vip
wuu[.]zoomqwer[.]com
aaavugcuvkjbibihb[.]cc
jjvbubodsfds[.]cn
cfdasjiiophg[.]cn
wwvsfkbjsdojfnor[.]cn
uujhgtbbh[.]cn
8801[.]1988945[.]xyz
C2 IP Addresses
103[.]215[.]77[.]17:4499
108[.]187[.]43[.]242:996-997
47[.]76[.]86[.]151:23157
206[.]238[.]180[.]6:5555
206[.]238[.]180[.]176:6666
206[.]238[.]180[.]192:6666
206[.]238[.]180[.]233:6666
113[.]44[.]44[.]102:6666,8012,8888
119[.]28[.]137[.]199:22011-22022
43[.]198[.]29[.]200:8880
43[.]199[.]181[.]98:8880
43[.]199[.]16[.]35
16[.]163[.]105[.]153
206[.]82[.]6[.]182:80
192[.]238[.]180[.]62:5050
193[.]42[.]24[.]214:16790
23[.]132[.]132[.]67:8808
185[.]106[.]179[.]30:1280
Registrant Intelligence
Name: Peng Benbo (彭本波)
Email: di823748@163[.]com
Domain: qyttqxsdf[.]cn
Registrar: 22.cn
Persistence Paths (RustyStealer)
%ProgramData%\SystemLauncher.exe
%ProgramData%\FileManager.exe
%ProgramData%\CloudAssistant.exe
%ProgramData%\DataExplorer.exe
%ProgramData%\ImageViewer.exe
%ProgramData%\ResourceMonitor.exe
%ProgramData%\AutoUpdater.exe
%ProgramData%\DiskOptimizer.exe
%ProgramData%\SecurityScanner.exe
%ProgramData%\PowerUtility.exe
%ProgramData%\TaskHelper.exe
%ProgramData%\DevToolkit.exe
%ProgramData%\AdminConsole.exe
%ProgramData%\EventHandler.exe
%ProgramData%\MediaProcessor.exe
%ProgramData%\JobScheduler.exe
%ProgramData%\AppInstaller.exe
%ProgramData%\PrivacyGuardian.exe
%ProgramData%\DesktopCompanion.exe
%ProgramData%\ServiceController.exe
MITRE ATT&CK
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing | T1566 |
| Execution | User Execution: Malicious File | T1204.002 |
| Persistence | Registry Run Keys | T1547.001 |
| Persistence | Masquerading: Match Legitimate Name | T1036.005 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Defense Evasion | Encrypted/Encoded File | T1027.013 |
| Defense Evasion | Debugger Evasion | T1622 |
| Defense Evasion | Process Injection | T1055 |
| Credential Access | Credentials from Password Stores | T1555 |
| Command and Control | Application Layer Protocol | T1071 |
| Command and Control | Multi-Stage Channels | T1104 |
Recommendations
For defenders: Search your EDR for any of the 20 RustyStealer persistence names in %ProgramData%. These are generic enough to blend in but specific enough that the exact set of 20 names is a high-confidence detection. Block the C2 domains and IPs at your network perimeter. Monitor for win64_protection-obfuscated binaries -- the RTTI string control_flow_flattener@win64_protection is a reliable signature.
For threat intelligence teams: The registrant Peng Benbo (彭本波) and the email di823748@163[.]com should be monitored for new domain registrations. The Gname.com and NameSilo registrar pattern, combined with .cn domains on 22.cn, provides a reliable infrastructure prediction model. Track MalwareBazaar submissions from CNGaoLing for new samples in real time.
For organizations with Chinese-speaking employees: Alert your workforce to the disciplinary list lure pattern. SilverFox has used "violation list" and "disciplinary personnel" filenames continuously since March. If your HR department does not distribute employee lists as .exe files -- and it shouldn't -- this should be an easy awareness win.
For cloud providers: Amazon AWS Hong Kong region (ap-east-1) is the single largest C2 hosting location in this cluster. Tencent Cloud host 119.28.137.199 is vulnerable to CVE-2020-0796 (SMBGhost). Huawei Cloud host 113.44.44.102 exposes RDP and RPC on a server running an end-of-life operating system. Abuse reports have been filed.
This investigation was produced by Breakglass Intelligence's autonomous GHOST system. Infrastructure analysis was performed via passive and semi-passive reconnaissance. All C2 endpoints were confirmed live at time of analysis. Abuse reports have been filed with Amazon AWS, Tencent Cloud, Huawei Cloud, Alibaba Cloud, and NameSilo.
Breakglass Intelligence | April 1, 2026