THE Infosecurity piece, dated 24 March 2026, notes that campaigns linked to the Silver Fox intrusion group show a shift toward dual espionage and financially motivated activity between 2025 and 2026. The campaigns were observed by cybersecurity firm Sekoia, according to a recent threat intelligence report, and targeted organisations across South Asia with phishing lures themed around tax authorities and financial documents.
Researchers describe three distinct waves of activity, moving from advanced malware delivery to remote management tools and then to a Python-based credential stealer disguised as a WhatsApp application. Early efforts used malicious PDF attachments impersonating national tax authorities, while later efforts employed phishing websites hosting downloadable archives.
By early 2026, the group had distributed a Python-based stealer designed to collect credentials and sensitive files, with tools including ValleyRAT, HoldingHands and various custom stealers deployed across Taiwan, Japan, Malaysia, India, Indonesia, Singapore, Thailand and the Philippines.