This report details an ongoing campaign by an actor operating primarily during Chinese time zone working hours, targeting Chinese-speaking individuals and entities within and outside China. Since approximately June 2023, the actor has created more than 2,800 domains for malware delivery. The actor’s methods and malware, largely unchanged since June 2023, primarily deliver Windows-specific malware through fake application download sites and fake update prompts in various spoofed login pages, marketing apps, business sales apps, and cryptocurrency related apps. 

Following previous reports, the actor made notable operational changes including the addition of 

• Anti-automation and browser emulation code
• Reduction in site tracker services
• Increased server distribution for sparser domain resolutions per IP address
• More discreet registration details

As of June 2025, 266 of the over 850 identified domains since December 2024 were actively distributing malware.

For comprehensive details, refer to the two prior reports linked below:

Part 1: https://dti.domaintools.com/chinese-malware-delivery-websites/ 

Part 2: https://dti.domaintools.com/chinese-malware-delivery-domains-part-ii-data-collection/ 

A Sampling of Their Malware Delivery Websites

Fake Gmail Login

The `googeyxvot[.]top` domain uses anti-automation and browser emulation checks, and any input on its fake login page triggers a deceptive browser incompatibility error, prompting a malicious update download. Multiple JavaScript files are employed to obfuscate the download URL.

A malicious .zip file from `googeyxvot[.]top` delivers an .msi installer. This installer contains multiple .jpg named files and two executables, `svchost.13.exe` and `flashcenter_pl_xr_rb_165892.19.exe`. `svchost.13.exe` acts as a downloader, fetching a file from `https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt`. The downloaded file uses a shellcode decoder loop, decrypts its content with XOR key “0x25”, and executes an embedded PE file.

googeyxvot[.]top/assets/download/buile/flashcenter_pl_xr_rb_165892.19.zip 7705ac81e004546b7dacf47531b830e31d3113e217adeef1f8dd6ea6f4b8e59b  flashcenter_pl_xr_rb_165892.19.zip a48043b50cded60a1f2fa6b389e1983ce70d964d0669d47d86035aa045f4f556  flashcenter_pl_xr_rb_165892.19.msi The .msi file contains several jpg named files and two executables:svchost.13.exeSha256 zf1b6d793331ebd0d64978168118a4443c6f0ada673e954df02053362ee47917b   flashcenter_pl_xr_rb_165892.19.exeSha256 1c957470b21bf90073c593b020140c8c798ad8bdb2ce5f5d344e9e9c53242556   Scvhost.13.exe acts as a downloader, retrieving a file from URL https[:]//ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt uploads%2F4398%2F2025%2F06%2F617.txtSha256 e9ba441b81f2399e1db4b86e1fe301aaf2f11d3cf085735a55505873c71cbc6f The downloaded file contains a shellcode decoder loop and decrypts the rest of the file with xor key “0x25” and executes an embedded PE file.Sha256 28e6c4d71b700ac93c8278ef7968e3d8f9454eff2e8df5baf2fff6acbfdf6c39

Fake Alipay Checkout

The domain displays a fake popup stating it cannot operate currently due to the use of abnormal operation mode. The buttons Get Help Now and Cancel are displayed, which prompt a download of a malicious file. 

yeepays[.]xyz

An imported JavaScript file defines the download path

“yeepays[.]xyz/assets/js/external_load.js”

The filename is defined in another imported JavaScript file

“yeepays[.]xyz/assets/download/filename.js”

The download URL for the malicious file then becomes: 

“https[:]//yeepays[.]xyz/assets/download/收银台权限.exe”Sha256 21a0b62adc71b276a5bc8a3170ab6e315ac2c0afe8795cfeade8461f00a804d2

Fake Cryptocurrency Sites

coinbaw[.]vip

Clicking most of the interactive buttons redirects to a fake sign-in page for a fake crypto exchange named “CoinBaw”, which likely attempts to spoof as CoinBase.

Registration Details

Mapping over 2,800 of the actor’s registered domains since June 2024, we observed similar trends in timing.

Domain Registrations Create Date

Domain Resolutions First Seen

Comparing the registration creation times for domains and their respective first seen resolutions from DNS lookups we can approximate possible human working times from infrastructure acquisition and operationalization commonalities. Though both of which can be largely automated and consequently the timing of either event can be largely unreliable, they may offer some valuable insights particularly with regard to potential prevalence in targeted regions.

We observed a common distribution of both domain acquisition and potential operationalization across times. Operationalization in this context is essentially the distinction between the registration of the domains and associated infrastructure and then making use of it in some operational way. In this case, to deliver malware via spoofed application download pages. The majority of both are seen to occur during normal Chinese working hours. Notably, the volume of first seen resolutions of those domains also appear during normal Chinese working hours.

Changes In Operations

The actor has implemented several changes in their operational tactics. This includes the addition of rudimentary anti-automation and browser emulation code, designed to hinder site scanners from effectively retrieving website content. Furthermore, there has been a reduction in the use of site tracker services such as Baidu, Gtag, and Facebook. The actor has also increased the number of servers used to spread domain resolution more widely, and adopted more discreet registration details to obscure uniquely identifiable information.

Conclusion

The “SilverFox” actor continues to demonstrate a high degree of persistence and scale in their malware delivery operations, primarily targeting Chinese-speaking individuals and entities globally with Windows-specific malware. Their campaign, ongoing since at least June 2023, leverages over 2,800 created domains, with 266 remaining active since December 2024, highlighting their sustained infrastructure and reliability improvements. The consistent operational timing across all hours with high influxes during Chinese working hours in addition to other factors suggests a combination of automated and likely human-driven approach to their activities.

While the actor’s ultimate motivations remain somewhat uncertain, their tactics strongly suggest financially motivated and opportunistic objectives. We suspect their primary goals include credential and financial theft, and potentially access brokering. Furthermore, the observed targeting of individuals engaged in sales and marketing, particularly those outside China but involved in business prospects within the region and possessing Chinese language skills, points to a potential secondary motivation to exploit specific professional networks for further gains.

Modern browsers like Chrome and Edge provide a critical, multi-layered defense against malware from fake download sites. They use integrated security systems—Google Safe Browsing and Microsoft Defender SmartScreen—to proactively block malicious websites before they can be accessed. At the point of download, these browsers analyze files for risk by checking their reputation and digital signatures, and provide clear, direct warnings to prevent users from accidentally running dangerous software. 

While current detection rates of SilverFox payloads show limitations, it’s crucial to recognize that browser security is a constantly evolving battleground. Browser developers are continually refining their defenses, integrating more advanced AI and machine learning models to identify and block novel threats in real-time. This ongoing technological advancement, however, highlights a fundamental truth: the most sophisticated digital warnings are ultimately supplementary to an aware user.

To counter the persistent threat posed by SilverFox, organizations and individuals should prioritize the following security measures:

• Elevate User Awareness: Conduct phishing simulations and training, and emphasize secure software acquisition from official sources.
• Strengthen Email and Web Gateway Security: Implement ATP, integrate threat intelligence feeds for URL filtering and domain reputation, and employ DNS filtering.
• Enhance Endpoint Security and Response: Deploy NGAV/EDR across Windows endpoints and ensure automated patch management.
• Implement Network Monitoring and Segmentation: Analyze network traffic for indicators of compromise and segment networks to limit lateral movement.
• Prioritize Identity and Access Management: Enforce Multi-Factor Authentication (MFA) for all user accounts.

IOCs

Domains, file URls, and hashes can be found on our Github.