Untitled
A Chinese-language spear-phishing campaign distributing a custom C++ PE64 loader (tagged **SilverFox / SliverFox**) targeting Chinese-speaking organiz
TL;DR: A Chinese-nexus threat actor distributed a sophisticated C++ loader (SilverFox/SliverFox) through HR-themed spear-phishing against Chinese-speaking organizations β and accidentally registered their C2 domain using a real name and personal email address, handing investigators a rare attribution anchor.
Executive Summary
On March 13, 2026, a sample arrived in MalwareBazaar with an innocuous-looking filename: 2026.03.13...δΊΊεεε.exe β "Personnel Roster." Behind the HR lure was a professionally engineered PE64 loader with a full anti-analysis stack, process hollowing capability, BITS-based persistence, and a single C2 domain beaconing over TCP port 8880. Researchers tagged it SilverFox (also stylized SliverFox).
What made this campaign immediately stand out was not the malware's sophistication β it was the actor's sloppiness at domain registration. The C2 domain vbnghyyttz[.]cn was registered on January 6, 2026, under the name ε½ζ¬ζ³’ (Peng Benbo) with the email address di823748[@]163[.]com β a real Chinese consumer email account on NetEase's 163.com platform. For a loader with this level of technical investment, the OPSEC failure is glaring, and it opens a direct pivot path to additional infrastructure operated by the same actor.
The campaign launched no later than March 11, 2026, with at least seven distinct binary variants β all sharing the same C2 endpoint. Delivery mechanisms include both spear-phishing with HR-themed lures and trojanized legitimate software (LEViewer.exe), suggesting an actor comfortable operating at multiple points of the initial access kill chain.
What Was Found vs. What Was Known
| Dimension | Previously Known | This Investigation |
|---|---|---|
| Malware family | SilverFox tracked by CNGaoLing on MalwareBazaar | Full static + behavioral analysis of primary sample |
| Campaign scope | Individual samples surfaced | 7 campaign siblings confirmed, all sharing single C2 |
| C2 infrastructure | Domain observed | Full WHOIS pivot: registrant name + email recovered |
| Delivery method | Spear-phishing suspected | Confirmed HR lures + trojanized LEViewer.exe variant |
| Anti-analysis depth | Generic AV labels | Full capability inventory: BP scan, PEB check, 14+ tool strings, geofencing, stealth timeout |
| Persistence | Unknown | BITS + dual SoftwareProtectionPlatform scheduled tasks |
| Timeline | Sample-level | Domain registered 67 days before first sample β infrastructure pre-staging confirmed |
Technical Analysis
The Loader Architecture
The primary sample is a 2.08 MB MSVC-compiled PE64 GUI executable built with Visual Studio 2017 (compiler version 19.16.27054). The PE timestamp reads 2026-03-13 05:36:08 UTC β approximately nine hours before first appearance on MalwareBazaar, and there is no evidence of timestamp spoofing, making this a reliable compilation anchor.
Six of the binary's PE section names are entirely blank β a deliberate stripping technique to defeat section-name-based YARA rules and automated signature scanners. Entropy values across sections range from 4.48 to 5.87, consistent with compiled native code and ruling out secondary packers like UPX. The binary ships ready to execute.
The static import table is intentionally sparse. Only three DLLs appear: KERNEL32.dll, USER32.dll, and SHELL32.dll. The KERNEL32 imports include the pair that matters most: GetProcAddress and LoadLibraryA. Paired with such a thin IAT, this confirms the loader resolves the majority of its functional API surface dynamically at runtime β a standard fingerprinting countermeasure that forces analysts to trace execution rather than read imports.
Anti-Analysis Stack (T1622, T1497.001, T1497.002, T1057)
SilverFox implements a layered anti-analysis stack that would frustrate both automated sandbox detonation and manual debugging:
Software Breakpoint Detection (B0001.025): The loader scans function bodies for 0xCC (INT3) and 0xCD 0x03 byte sequences in a loop. Any debugger that sets software breakpoints will be detected and the process terminates.
PEB BeingDebugged Check (B0001.035): The binary reads the BeingDebugged byte at PEB offset 0x02 via gs:[0x60] β a low-level check that operates below the API layer and is invisible to most automated sandbox instrumentation.
Analysis Tool Enumeration: The binary enumerates running processes via CreateToolhelp32Snapshot + Process32FirstW + Process32NextW (T1057) and terminates if any of the following process names are matched: ollydbg, ProcessHacker, ida, ida64, Wireshark, dumpcap, x64dbg, x32dbg, Fiddler, windbg, joeboxcontrol, LordPE, PETools, ImportREC, and additional entries. The actor's familiarity with this specific toolset is notable β it covers the standard reverse-engineering stack used by Windows malware analysts.
Stealth Timeout: Sandbox behavioral reports flag a "possible date expiration check, exits too soon after checking local time." The binary appears to have a hardcoded activation window and will silently exit outside of it β this explains the relatively low detection ratio of 23/76 at time of analysis, as many sandboxes would have reported a clean run.
Geofencing (T1614.001, T1082): The loader checks keyboard layout, queries system locale via the registry (HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US and ExtendedLocale\en-US), and contains the embedded wide string zh-CHS β suggesting the payload activates specifically when Chinese Simplified locale is detected. A non-Chinese system may see no malicious behavior at all.
Dynamic Resolution and Runtime Linking (T1027, T1027.002, T1129)
Beyond the IAT-stripping technique, the binary implements direct PE export table walking β parsing IMAGE_EXPORT_DIRECTORY offsets (0x14, 0x18, 0x1C, 0x20, 0x24) to resolve function pointers from already-loaded modules without invoking GetProcAddress in the hot path. CAPA confirms 5+ functions resolved at runtime. This is consistent with a custom API hashing or PEB.Ldr walking routine designed to survive IAT-based detection even during dynamic analysis.
Injection and Execution (T1055.012)
The loader's payload delivery mechanism is process hollowing. Execution flow proceeds as follows: the binary creates a child process in suspended state (CREATE_SUSPENDED), calls VirtualProtect to mark a memory region PAGE_EXECUTE_READWRITE (0x40), writes shellcode or the final payload into the target process via WriteProcessMemory, and resumes the thread. Sandbox telemetry specifically records: "Process software.exe with process ID 6356 wrote to the memory of process handle 0x00000290" β with services.exe observed as the injection target.
The binary requires administrator privileges via manifest (requireAdministrator), meaning victims must either already run with elevated rights or explicitly grant UAC elevation. The HR-lure context makes social engineering for this grant plausible β a user opening what they believe is a personnel roster from a trusted sender is likely to click through a UAC prompt.
Cryptographic Primitives
Two cryptographic primitives are confirmed in the binary:
- Mersenne Twister PRNG (C0021): Constants
0x6C078965,0x9908B0DF,0x9D2C5680, and0xEFC60000are confirmed. MT is likely used to seed session identifiers or generate encryption keys for the C2 channel β consistent with a custom binary protocol. - Luhn Algorithm (C0032.002): Credit card validation logic is present, raising the possibility that the final payload includes a financial data harvester. This warrants monitoring if the post-exploitation stage is ever recovered.
Persistence (T1197, T1053.005)
The loader establishes persistence through two mechanisms: it activates the BITS and WSearch services, and it creates scheduled tasks under:
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\
SvcRestartTaskLogon
SvcRestartTaskNetwork
SvcRestartTask
Abusing the SoftwareProtectionPlatform task path is a known living-off-the-land persistence technique β it blends with legitimate Windows licensing infrastructure and may be overlooked by endpoint defenders scanning task folders.
Self-Deletion (T1070.004)
After injecting its payload, the binary executes:
C:\Windows\System32\cmd.exe /c timeout 2 & del /f /q "<binary_path>"
The two-second timeout ensures the parent process fully exits before deletion. This behavior was confirmed across all campaign samples β it is a hard-coded cleanup routine, not incidental.
Attack Chain
DELIVERY
Spear-phishing email β HR lure attachment
"2026.03.13...δΊΊεεε.exe" (Personnel Roster)
β OR β
Trojanized legitimate software (LEViewer.exe)
β
EXECUTION (T1566.001, T1036)
Victim launches binary, grants UAC elevation
Anti-debug + anti-VM + geofencing checks run
If any check fails: silent exit
β
INJECTION (T1055.012)
CreateProcess(CREATE_SUSPENDED) β VirtualProtect(RWX)
β WriteProcessMemory β ResumeThread
Target: services.exe / svchost.exe
β
C2 BEACON (T1071.001)
DNS: vbnghyyttz[.]cn β 18[.]163[.]176[.]215
TCP connect to 18[.]163[.]176[.]215:8880
Custom binary protocol (MT-seeded encryption suspected)
β
PERSISTENCE (T1197, T1053.005)
BITS service activation + WSearch
SoftwareProtectionPlatform scheduled tasks written
β
CLEANUP (T1070.004)
cmd.exe /c timeout 2 & del /f /q <binary>
β
POST-EXPLOITATION
Awaiting operator tasking via C2
Infrastructure Analysis
The C2 Domain
vbnghyyttz[.]cn follows a DGA-pattern construction β high consonant density, no recognizable word roots, random character distribution. VirusTotal has independently tagged it with the dga label. The domain was registered January 6, 2026 β 67 days before the earliest known campaign sample on March 11. This pre-staging gap is an operational signature: the actor builds infrastructure well ahead of deployment, a pattern consistent with planned spear-phishing campaigns rather than opportunistic commodity malware distribution.
The single A record resolves to 18[.]163[.]176[.]215, an Amazon EC2 instance in the ap-east-1 (Hong Kong) region. AWS Hong Kong is a recurring infrastructure preference among Chinese-nexus threat actors due to low latency to mainland targets, regional trust assumptions in network monitoring, and the ease of provisioning cloud infrastructure.
Port 8880 is not a standard application port. The choice may reflect an attempt to blend with HTTP alternate-port traffic or to pass through firewall rules configured only around common web ports (80, 443, 8080). No TLS certificate transparency records exist for the domain, suggesting the C2 channel uses either a custom binary protocol or the loader's own encryption layer β with the Mersenne Twister seeded session key as the most probable candidate.
The Attribution Anchor
The registrant data for vbnghyyttz[.]cn represents an unusual and consequential OPSEC failure:
- Registrant name: ε½ζ¬ζ³’ (Peng Benbo)
- Registrant email: di823748[@]163[.]com
- Registrar: ζε·η΅εδΊθη§ζζιε ¬εΈ (Hangzhou e-commerce technology)
- Nameservers: ns1[.]22[.]cn, ns2[.]22[.]cn
The 163.com domain is operated by NetEase and is one of the most common personal email providers in China. The use of a personal consumer email β rather than a privacy-protected registration or throwaway account β indicates either complacency or an assumption that .cn WHOIS data would not be scrutinized. The registrant name has the linguistic structure of a real Chinese personal name and should be treated as a genuine attribution lead.
Critical pivot: The email di823748[@]163[.]com should be queried against all accessible domain registrar WHOIS records, OSINT databases, and certificate transparency logs. If this email was used consistently across the actor's infrastructure registrations β even for domains that have since expired β it will map the full scope of SilverFox campaign infrastructure.
Defensive Recommendations
Network Controls:
- Block outbound TCP to
18[.]163[.]176[.]215on all ports, with priority on port 8880 - DNS-block
vbnghyyttz[.]cnat resolver level - Alert on outbound connections to any
.cnTLD domain on non-standard ports (not 80/443)
Endpoint Detection:
- Hunt for scheduled tasks under
Microsoft\Windows\SoftwareProtectionPlatform\β specificallySvcRestartTask*variants, which are not created by legitimate Windows components - Alert on
cmd.exespawned with arguments matchingtimeout * & del /f /qpattern β this is the self-deletion signature - Monitor for
BITSservice activation events paired with new scheduled task creation in the same session
Process Injection:
- Alert on
CREATE_SUSPENDEDprocess creation followed byWriteProcessMemoryinto that process from a non-system parent - Monitor for
VirtualProtectcalls settingPAGE_EXECUTE_READWRITEoriginating from GUI-subsystem executables
File-based:
- Block execution of PE files requiring
requireAdministratorprivilege from user-controlled directories (Desktop, Downloads, Temp) - Detect on blank PE section names combined with sparse import tables and
GetProcAddress/LoadLibraryApresence
Threat Intelligence:
- Pivot the email
di823748[@]163[.]comagainst registrar WHOIS databases for additional infrastructure discovery - Monitor MalwareBazaar for new samples tagged
SilverFoxorSliverFoxsubmitted by CNGaoLing
Indicators of Compromise
File Indicators
| Type | Value | Context |
|---|---|---|
| SHA-256 | 1d0351d580e3c10a3178b614d70d1867cb003ff8da0a25fbeb1e8a75e0aad68a | Primary sample, 2026-03-13 |
| SHA-1 | 730dac84723982fe9bf65ac086ababb0bbea04c1 | Primary sample |
| MD5 | d9bdc7e6df3245feee2f9666e52ac922 | Primary sample |
| Imphash | 24587f39ebe7f0e9605e30bcc578e5dc | Shared across campaign variants |
| SHA-256 | d58d74c038f96715064d9f28ebb8a2e89c715e11fad04e3011fa76d693fdd296 | HR lure, 2026-03-11 (earliest known) |
| SHA-256 | 7303323e80e09defe14742b7196ea1dea891eeb5e24ac88892cea4e9dcb1e4cb | LEViewer[.]exe trojanized variant |
| SHA-256 | de77a2ad240ad63b1fd22f81bd74a52dc7a82dbf454d02c93bb4cfb50dadc5e2 | LEViewer[.]exe trojanized variant (higher detections) |
| SHA-256 | 7c4bbb982d99092e3afa1ea99f0b5b4b24126800db166389f870a335c1ab55cd | Random-named variant (OvQSFwYzIy[.]exe) |
| SHA-256 | e84df040392614ea4da94fe085eb2f48afa88271419206fdd90b3cf0a4ac993c | Random-named variant (JeCKLggGkMha[.]exe) |
| SHA-256 | a85188389fe806216a778fa48b5dd1af1b41afcf735a10c8efa22784de801445 | Random-named variant (OTPyJgazJVHZ[.]exe) |
| Filename | 2026.03.13...δΊΊεεε.exe | HR lure: "Personnel Roster" |
| Filename | 2026.03.11...δΊΊεδΏ‘ζ―F@.exe | HR lure: "Personnel Information" |
Network Indicators
| Type | Value | Context |
|---|---|---|
| Domain | vbnghyyttz[.]cn | C2 domain, DGA-style, registered 2026-01-06 |
| IP | 18[.]163[.]176[.]215 | C2 server, AWS ap-east-1 Hong Kong |
| IP:Port | 18[.]163[.]176[.]215:8880 | Primary C2 beacon endpoint |
| ASN | AS16509 | Amazon.com, Inc. |
| PTR | ec2-18-163-176-215[.]ap-east-1[.]compute[.]amazonaws[.]com | Reverse DNS |
| Nameserver | ns1[.]22[.]cn | C2 domain NS |
| Nameserver | ns2[.]22[.]cn | C2 domain NS |
Threat Actor Infrastructure
| Type | Value | Context |
|---|---|---|
di823748[@]163[.]com | WHOIS registrant β pivot target | |
| Name | ε½ζ¬ζ³’ (Peng Benbo) | WHOIS registrant β attribution anchor |
| Domain | vbnghyyttz[.]cn | Registered 67 days pre-campaign |
Host-Based Indicators
| Type | Value | Context |
|---|---|---|
| Scheduled Task | Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon | Persistence |
| Scheduled Task | Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetwork | Persistence |
| Scheduled Task | Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask | Persistence |
| Service | BITS | Activated for persistence |
| Service | WSearch | Activated during execution |
| Command | cmd.exe /c timeout 2 & del /f /q "<path>" | Self-deletion signature |
| Registry | HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name | Binary name artifact |
| Registry | HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US | Geofence check |
| Registry | HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US | Geofence check |
MITRE ATT&CK Coverage
| Technique | Name |
|---|---|
| T1566.001 | Phishing: Spearphishing Attachment |
| T1059.003 | Command Shell (self-deletion) |
| T1055.012 | Process Injection: Process Hollowing |
| T1027 / T1027.002 | Obfuscated Files β dynamic import resolution, blank section names |
| T1129 | Shared Modules β runtime API resolution |
| T1497.001 / T1497.002 | Sandbox Evasion β system checks + date expiration |
| T1622 | Debugger Evasion |
| T1057 | Process Discovery |
| T1082 | System Information Discovery |
| T1614.001 | System Language Discovery |
| T1070.004 | Indicator Removal: File Deletion |
| T1071.001 | C2 via Application Layer Protocol |
| T1197 | BITS Jobs |
| T1053.005 | Scheduled Task/Job |
| T1583.001 / T1583.003 | Acquire Infrastructure: Domain + VPS |
| T1036 / T1036.005 | Masquerading |
Conclusion
SilverFox is an active, technically competent campaign targeting Chinese-speaking organizations through HR-themed social engineering. The loader demonstrates investment in evasion β layered anti-debug, geofencing, stealth timeouts, dynamic API resolution, process hollowing β and the use of BITS plus SoftwareProtectionPlatform scheduled tasks for persistence shows awareness of common detection heuristics. The trojanized LEViewer.exe delivery path expands the attack surface beyond email, suggesting the operator is comfortable with software-based initial access alongside phishing.
But despite this technical maturity, the actor registered their sole C2 domain using what appears to be a real name and a personal Chinese email account. That single mistake collapses a significant portion of the attribution problem and, more practically, gives defenders a durable pivot point: every domain ever registered by di823748[@]163[.]com is now a potential infrastructure node for this campaign.
The domain was registered 67 days before the first known sample. Defenders who monitor WHOIS data for .cn registrations with active C2 patterns, unusual port usage, or DGA-style naming may have had an early detection opportunity here. That gap β between infrastructure acquisition and campaign launch β is where proactive hunting pays off most.
Organizations with Chinese-speaking employees, HR systems, or a presence in mainland China and Hong Kong should treat the IOCs in this report as active threats and review endpoint telemetry for the behavioral signatures described above, particularly the SoftwareProtectionPlatform task creation pattern and the cmd.exe timeout & del self-deletion chain.
Indicators submitted to MalwareBazaar and ThreatFox. Additional pivot research on di823748[@]163[.]com is ongoing.
Published by Breakglass Intelligence β March 13, 2026