Silver Fox Targeting India Using Tax Themed Phishing Lures

CloudSEK TRIAD describes an income-tax themed phishing campaign in India attributed to the Silver Fox APT that uses an NSIS installer and a signed Thunder.exe to load a malicious libexpat.dll, which disables services, decrypts and injects Donut-generated shellcode into explorer.exe, and deploys Valley RAT with registry-resident plugins and a three-tier C2 infrastructure; the report includes technical analysis, IOCs, MITRE ATT&CK mappings, and detection/mitigation recommendations.