Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Behind the Fake Tax Notice — Part II: ValleyRAT Unmasked

How a China-nexus actor turns a signed application into a fileless malware loader.

Posted on: 06 July 2026 | Author: Foresiet

Introduction

In Part I of this series — “Behind the Fake Tax Notice” — the Foresiet Threat Intelligence Team mapped a multi-country, tax- and invoice-themed phishing network built around hxxps://adreses[.]vip/. That infrastructure, hosted on Alibaba Cloud in Hong Kong, was used to target taxpayers across India, Germany, Malaysia and Japan. The first report documented the lure, the sender and the hosting, but left one question open: what does the campaign actually deliver?

This Part II deep dive answers it. By reaching the second-stage delivery host that automated sandboxes could not, we recovered and reverse-engineered the payload — a ValleyRAT-class loader hidden inside a legitimately signed application. We attribute the operation to Silver Fox, a China-nexus actor and the operator of the ValleyRAT (Winos) backdoor. This post walks through the full delivery chain, the loader’s internals at the disassembly level, the attribution, and the complete set of indicators for defenders.

Key takeaways

  • A legitimate, signed Overwolf/TeamSpeak helper is abused to side-load a malicious 30 MB DLL — the file that runs looks trustworthy to users and to signature-based defences.
  • The DLL is a fileless loader: it decrypts a companion .bin stage entirely in memory and launches a .NET (CLR) payload, leaving nothing malicious on disk in plaintext.
  • The operation is the work of Silver Fox, a China-nexus actor and the operator of the ValleyRAT / Winos backdoor.
  • A single Hong Kong Alibaba Cloud IP hosts a multi-country cluster of tax and invoice lures across India, Germany, Malaysia and Japan.

At a glance

Field

Detail

Threat actor

Silver Fox — China-nexus intrusion set; operator of ValleyRAT / Winos

Malware

ValleyRAT / Winos-class .NET loader (trojanised teamspeak_control.dll, 30 MB)

Technique

Signed-binary DLL sideloading → in-memory decryption → CLR (.NET) execution — fileless

Lure

Localized tax & invoice phishing — India, Germany, Malaysia and Japan

Infrastructure

adreses[.]vip & membese[.]vip → 47.242.39.192 (Alibaba Cloud, Hong Kong)

Delivery

Document07.03.zip (29.1 MB) — a three-file sideloading kit, not a document

The Delivery Chain

The operation moves the victim from a phishing email to an in-memory ValleyRAT stage in six steps:

  1. Email — a tax/invoice phishing message impersonating the Income Tax Department (sender ContiWalega57@hotmail[.]com, reference TAX/PEN/2026-142).
  2. Landing — adreses[.]vip presents an “Invoice Details” page with document-download buttons (47.242.39.192, nginx).
  3. Payload host — a download button hands the victim to a second-stage host, membese[.]vip, which serves the archive.
  4. Archive — 03.zip is not a document; it is a three-file kit (signed EXE + malicious DLL + encrypted .bin).
  5. Sideload — the signed EXE side-loads the malicious teamspeak_control.dll, whose DllMain launches the loader.
  6. Loader — the DLL reads and decrypts the .bin in memory and executes it via the .NET runtime (ValleyRAT / Winos).

Inside the Archive: a DLL-Sideloading Kit

Static analysis of the recovered archive — performed in memory, without executing it — confirms Document07.03.zip is a three-file DLL-sideloading kit. A legitimately signed TeamSpeak helper acts as the decoy host, while the malicious code lives in a 30 MB trojanised DLL that impersonates the application’s real plugin and unpacks an encrypted stage in memory.

The three files inside Document07.03.zip: a clean signed host EXE, an encrypted .bin stage, and the 30 MB malicious DLL.

Figure 1 — The three files inside Document07.03.zip: a clean signed host EXE, an encrypted .bin stage, and the 30 MB malicious DLL.

File

Role

Document07.03.exe

Signed Overwolf “OverwolfTSHelper” — the legitimate sideload host (599 KB)

teamspeak_control.dll

The malware — trojan proxy DLL and in-memory loader, padded to evade AV (30.2 MB)

teamspeak_control.bin

Encrypted second-stage payload / configuration, decrypted at runtime (298 KB)

How the sideload works

  • Signed decoy host: 03.exe is a real, Authenticode-signed Overwolf binary that imports teamspeak_control.dll — launching it loads the attacker’s DLL from the same folder.
  • Trojan proxy DLL: dll re-implements all 18 tscontrol_*_async exports the host expects, so the app runs normally while its DllMain launches the loader.
  • Fileless & padded: the loader allocates executable memory, decrypts the .bin and runs a .NET payload via the CLR; a 29.9 MB maximum-entropy junk section and a zeroed PE timestamp defeat AV scanning.

Loader Internals: A Disassembly Walkthrough

We disassembled the malicious teamspeak_control.dll (x64) and reconstructed the loader end to end — without executing it. The entry point acts only on process-attach, then hands off to a worker thread that does the real work, keeping the signed host application completely stable.

Decompiled DllEntryPoint: it acts only on DLL_PROCESS_ATTACH, runs the cookie init, then tail-calls the real DllMain.

Figure 2 — Decompiled DllEntryPoint: it acts only on DLL_PROCESS_ATTACH, runs the cookie init, then tail-calls the real DllMain.

Figure 3 — DllEntryPoint control-flow graph: the process-attach branch runs the loader hand-off; the other branch returns immediately.

Step-by-step: what the malware does on load

  1. Stays invisible — DllMain acts only on DLL_PROCESS_ATTACH, spawns a worker thread and returns, so the signed TeamSpeak host keeps running with no crash or hang.
  2. Resists analysis — the real DllMain is wrapped in opaque-predicate junk arithmetic and the DLL’s import names are mangled, both to break static tooling.
  3. Locates the payload — the worker calls GetModuleFileNameW to find its own path and derives the sibling teamspeak_control.bin.
  4. Reads & decrypts — CreateFileW/ReadFile pull in the 298 KB encrypted .bin and decrypt it in memory.
  5. Executes in memory — VirtualProtect marks the decrypted buffer executable and control transfers to it; nothing malicious is written to disk in the clear.
  6. Runs the .NET stage — LoadLibraryExW loads mscoree.dll to host the CLR and execute the final ValleyRAT / Winos payload.

Reverse-Engineering Evidence

Two evidence panels from the disassembly show how the malicious DLL impersonates the plugin and how its loader is built.

Figure 4 — Export table of teamspeak_control.dll: it re-implements all 18 tscontrol_*_async functions, while the highlighted DllEntryPoint carries the loader.

Figure 5 — Import table: RWX allocation/paging, threading, file read, LoadLibraryExW and the .NET CLR host mscoree.dll; library names are deliberately mangled.

Reconstructed loader flow from DllMain into the worker: gate, decrypt the .bin, mark executable, and host the CLR

Figure 6 — Reconstructed loader flow from DllMain into the worker: gate, decrypt the .bin, mark executable, and host the CLR.

Attribution: Silver Fox (China-nexus)

Foresiet attributes this campaign to Silver Fox, a China-nexus intrusion set active since 2024 and the operator of the ValleyRAT (Winos) backdoor. The attribution rests on three converging evidence layers, each independently consistent with Silver Fox’s documented tradecraft:

  • Delivery mechanism — a signed decoy EXE side-loads a malicious DLL that decrypts a .bin and runs it via the CLR: Silver Fox’s signature loader chain.
  • Lure & targeting — localized tax and invoice themes across India, Germany, Malaysia and Japan, matching Silver Fox’s 2025–2026 campaigns.
  • Infrastructure — a single Hong Kong Alibaba Cloud IP, Gname registrar, share-dns nameservers and fresh short-lived TLS — consistent with Silver Fox’s Chinese-cloud hosting.

The same tradecraft is documented publicly by Sekoia, Proofpoint (tracked as TA4922) and Seqrite (Operation DragonReturn), describing China-nexus tax/invoice operations that deliver ValleyRAT and related loaders.

Malware Capabilities & Impact

The loader stages a ValleyRAT / Winos implant — a modular remote-access backdoor. Once active, this family provides remote shell and file transfer, keystroke logging, screen capture and clipboard monitoring, browser and application credential theft, and command-and-control over TCP with its configuration decrypted from the .bin. For a corporate environment, the practical impact is full interactive control of the endpoint, theft of credentials and business data, and a foothold for lateral movement — all delivered under the cover of a signed, trusted application.

Detection & Hunting

Host behaviour to hunt (Sysmon / EDR)

  • A signed TeamSpeak/Overwolf-style EXE loading a teamspeak_control.dll from a user-writable folder (Downloads/Temp) — the sideload.
  • That process reading a sibling .bin file, then allocating RWX memory and calling VirtualProtect(PAGE_EXECUTE) — the in-memory unpack.
  • dll / the CLR loaded by a host process that is not otherwise a .NET application — the managed-stage launch.
  • Outbound TCP to a high port on a fresh Alibaba/Hong Kong or bulletproof-hosted IP shortly after launch.

YARA (tune before production)

YARA (tune before production)

Indicators of Compromise (Full)

The complete indicator set recovered in this investigation. Hashes are given as MD5, SHA-1 and SHA-256.

File hashes

Hashes are given as MD5, SHA-1 and SHA-256

Network indicators

Type

Indicator

Notes

Domain

adreses[.]vip

Landing / invoice lure — the email URL

Domain

membese[.]vip

Payload host — serves Document07.03.zip

Domain

aappp[.]vip

Shares share-dns NS; served the adreses[.]vip TLS cert

Domain

dusdt[.]vip

India tax-scrutiny → invoice lure (same IP)

Domain

aethercode[.]vip

India Income-Tax scrutiny lure (same IP)

Domain

coinok[.]vip

Invoice lure (same IP)

Domain

prmgv[.]vip

ZIP / document delivery endpoint (same IP)

Domain

xxgzbts[.]cn

India tax-scrutiny lure (same IP)

Domain

yygzbts[.]cn

India tax-scrutiny lure (same IP)

Domain

nwphotoblog[.]com

German BZSt tax/invoice lure (same IP)

Domain

blueoceancode[.]com

Malaysia / Japan document lures (same IP)

Domain

foeo[.]cn

Malaysia / Japan document lures (same IP)

Domain

bpsalpe[.]cn

Malaysia / Japan document lures (same IP)

Domain

jobfreeeco[.]it[.]com

Document ZIP delivery endpoint (same IP)

IPv4

47.242.39.192

AS45102 Alibaba Cloud, Hong Kong; nginx

Nameserver

a7.share-dns[.]com

Shared-DNS pivot family

Nameserver

b7.share-dns[.]net

Shared-DNS pivot family

Registrar

Gname.com Pte. Ltd.

Registrar across the .vip cluster

TLS CA

LiteSSL RSA CA 2025

Fresh, short-lived certificates on the cluster

Email

ContiWalega57@hotmail[.]com

Phishing sender address

Subject ref

TAX/PEN/2026-142

Lure reference string

Host & behavioural indicators

Type

Indicator

Notes

File

teamspeak_control.dll

Malicious loader dropped beside the signed EXE

File

teamspeak_control.bin

Encrypted payload read and decrypted by the loader

PDB string

OverwolfTSHelper.pdb

Present in the signed host binary

Module load

mscoree.dll

CLR loaded by a non-.NET host process — strong signal

Mangled imports

././keRNEL32, ./USer32, .\OlE32

Obfuscated import DLL names (anti-analysis)

Export names

tscontrol_startTS3Client, tscontrol_getTS3BinLocation, tscontrol_*_async (18)

Proxy exports of the trojanised DLL

Behaviour

VirtualAlloc (RWX) → VirtualProtect (PAGE_EXECUTE)

In-memory unpack of the decrypted stage

Behaviour

DisableThreadLibraryCalls + CreateThread from DllMain

Loader hand-off pattern

PE trait

Zeroed PE timestamp; 29.9 MB max-entropy section

Padding / anti-analysis in the DLL

References

  1. Foresiet — https://foresiet.com/
  2. Foresiet — “Behind the Fake Tax Notice” (Part I, companion to this deep dive).
  3. RDAP — rdap.org/domain/adreses.vip ; rdap.org/ip/47.242.39.192
  4. BGP / ASN — ipv4.bgp.he.net/ip/47.242.39.192
  5. Sekoia — “Silver Fox: the only tax audit where the fine print installs malware.”
  6. Proofpoint — “TA4922: the suspected Chinese crime group going global.”
  7. Seqrite — “Operation DragonReturn” (India MoF / tax, multi-stage deployment).
  8. The Hacker News / GBHackers — Silver Fox ValleyRAT India tax-phishing coverage (2025–2026).
  9. Income Tax Department (India) — incometaxindia.gov.in/report-phishing.

Conclusion

This campaign is a mature, evasion-focused operation: a trusted signed binary, a fileless in-memory loader, an encrypted payload and a resilient multi-country infrastructure cluster — all consistent with Silver Fox’s ValleyRAT tradecraft. By hiding the malicious logic inside a signed application and keeping the real payload encrypted until it runs in memory, the operator achieves low detection while retaining full remote-access capability over the victim endpoint.

The Foresiet Threat Intelligence Team continues to monitor this actor. We are extracting the final-stage host indicators — command-and-control endpoints, mutex and persistence artefacts — from the encrypted payload, and will publish updates as new infrastructure, samples or victimology emerge. If anything further is identified, we will update this analysis. Organisations that handle finance and tax correspondence should treat invoice- and tax-themed archives that contain executables as high-risk and apply the detections above.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.