Silver Fox APT Hits Taiwan with Dual Remote Access Malware
HoldingHands and Gh0stCringe Deployed in Targeted Phishing Campaign
▼ Summary
– Silver Fox APT is targeting Taiwanese government and industrial networks using a dual-malware approach: stealthy HoldingHands RAT and noisy Gh0stCringe.
– Phishing emails impersonating Taiwan’s National Taxation Bureau or trusted partners deliver malicious ZIP/RAR archives with sideloading attacks.
– HoldingHands RAT enables quiet reconnaissance and persistence, while Gh0stCringe focuses on aggressive data collection like keylogging and screen capture.
– The campaign shows long-term planning, with pre-registered C2 infrastructure and modular infection chains linked to Chinese-language APTs.
– Taiwan’s security agencies have issued advisories to mitigate risks, emphasizing DLL sideloading and suspicious traffic monitoring.
A new campaign orchestrated by the advanced persistent threat group Silver Fox is targeting government and industrial networks in Taiwan, according to a joint analysis by Fortinet and The Hacker News. The campaign uses a two-pronged approach: a stealthy remote access tool called HoldingHands RAT alongside a louder surveillance-oriented variant of Gh0stCringe malware.
The lures were phishing emails impersonating Taiwan’s National Taxation Bureau or trusted local business partners. These messages included ZIP and RAR archives containing either .exe files or images that launched DLL sideloading attacks. Legitimate apps, such as Adobe or Microsoft-signed binaries, were repurposed to load the actual malicious payloads.
Silver Fox’s tradecraft indicates long-term planning. The threat actor registered command-and-control infrastructure in advance and executed a modular infection chain. Researchers say the operation aligns with broader espionage patterns often attributed to Chinese-language APTs with strategic interests in Taiwan’s public and defense sectors.
Two RATs, Two Missions
The campaign’s dual malware payloads serve distinct purposes:
- HoldingHands RAT focuses on persistence and quiet reconnaissance. It uses a uniquely named file,
msgDb.dat, for command-and-control communication. Its functions include file enumeration, remote command execution, and lateral movement, all while minimizing outbound traffic to avoid detection.
- Gh0stCringe, by contrast, is noisier. It’s equipped for keylogging, screen capture, clipboard monitoring, and audio snooping. A fork of the widely abused Gh0st RAT, this variant is used to maximize data collection during active stages of the compromise.
The approach appears calibrated: HoldingHands establishes the beachhead, while Gh0stCringe extracts. Researchers note this separation of roles is increasingly common in targeted campaigns that aim to maintain foothold even if the louder malware is detected and removed.
“The use of two RAT families lets attackers separate their priorities, covert surveillance versus active exfiltration,” said Fortinet’s report. “It also lets them rotate infrastructure quickly if one toolset is exposed.”
Implications for Regional Security
Silver Fox has been previously linked to campaigns focused on Southeast Asia, but this operation marks one of their most methodical attacks on Taiwan to date. Target selection suggests an interest in both government records and sensitive business intelligence.
Technical indicators released by Fortinet show multiple domains and IPs associated with the campaign, but analysts believe Silver Fox will likely retool soon. Taiwan’s security agencies have issued advisories to ministries and contractors, urging a review of DLL sideloading vectors and suspicious outbound traffic tied to msgDb.dat.
For cybersecurity teams, the bigger concern isn’t the novelty of the tools, it’s the way they’re deployed. By combining quiet persistence with noisy surveillance, Silver Fox shows how coordinated malware usage can evade early detection while building long-term access.
