Chinese Threat Actors Operate 2,800 Malicious Domains to Distribute Windows Malware

A sophisticated threat actor, dubbed “SilverFox,” has been orchestrating a large-scale malware distribution campaign since at least June 2023, primarily during Chinese time zone working hours.

This operation focuses on Chinese-speaking individuals and entities both within and outside China, leveraging over 2,800 newly created domains to deliver Windows-specific malware.

Chinese-Speaking Users Globally

The actor employs deceptive tactics such as fake application download sites and spurious update prompts embedded in spoofed login pages, marketing applications, business sales tools, and cryptocurrency-related apps.

These methods have remained largely consistent, facilitating the dissemination of malicious payloads designed for credential theft, financial exploitation, and potential access brokering.

As of June 2025, analysis reveals that 266 out of more than 850 domains identified since December 2024 are actively involved in malware distribution, underscoring the campaign’s sustained infrastructure and operational resilience.

Domain registration patterns provide insights into the actor’s workflow, with creation dates and ...