SilverFox: The Upcoming Cyber Threat Catalyst of 2025

Brandefense SilverFox APT group profile card

Introduction

SilverFox has quickly emerged in 2024 and 2025 as a competent and adaptable threat actor operating on the nexus of espionage and financially motivated operations. Its ability to take an opportunistic targeting approach while employing advanced intrusion techniques positions the group among threat actors that defenders cannot afford to ignore. Recent intelligence confirms SilverFox has moved away from opportunistic targeting with smaller breaches and instead focused on prolonged operations against organizations that represent enhanced operational value in the government, finance, and technology sectors.

Identity and Motivation

Attribution: SilverFox is assessed with moderate confidence to be state-aligned and there have been indications of a degree of coordination across Eastern Europe and Central Asia.

Active Since: There was public reporting on activity from as early as 2022, but there are indications the group has significantly increased its operational tempo since late 2023.

Aliases: While confirmed overlaps with other units are limited, their activity does sometimes overlap with the infrastructure established by Qilin affiliates.

Motivation: SilverFox uses a combination of strategic espionage targeting of government and telecommunications organizations, along with financially motivated operations such as ransomware and data extortion.

Tactics, Techniques and Procedures (TTPs)

SilverFox utilized a hybrid operational style:

Initial Access – SilverFox exploited file transfer devices such as Cleo, and engaged in phishing campaigns that required an element of AI-generated lures.
Persistence – SilverFox operated with Living-Off-The-Land tools, PowerShell, Windows Hello abuse, scheduled tasks, and cloud credential compromise.
C2 and Infrastructure – SilverFox was observed primarily relying on TOR nodes and proxy botnets as its anonymization but occasionally used commercial VPNs as a backup.
Malware and Tools – SilverFox was observed using PlugX variants, credential stealers, and custom loaders that were misrepresented as business software updates to retain access to their infrastructure.

Techniques:

Supply chain targeting of European software vendors.

Lateral movement through hybridized cloud and on-prem networks.

Data exfiltration occurred prior to encryption with ransomware only used selectively.

Notable Operations

2024 – Telecom Intrusions in Europe: SilverFox targeted telecom operators and conducted espionage based on a zero-day exploit of a VPN appliance.
2024 – Finance and Insurance in the Asia-Pacific: SilverFox breached a regional banking network and proceeded to exfiltrate sensitive data before ultimately monetizing it on the dark web.
Q1 / 2025 – Supply Chain Campaign: targeted Cleo file transfer software vulnerabilities using the same exploits as Clop, but engaged in uses of customized data-theft techniques.
Q2 / 2025 – Government Entities in the MENA region: Operated in conjunction with credential harvesting campaigns against ministries in the Middle East region, in connection with the ongoing geopolitical situation.

Current Updates

SilverFox has demonstrated rapid evolution:

Movement to cloud environments: Increased attention to SaaS compromises, and lateral movements in hybrid networks.
Artificial intelligence adoption: Use of generative AI for phishing lures, voice cloning for vishing, and disinformation as part of larger influence campaigns.
Operational partnerships: Possible links to Ransomware-as-a-Service partners like Qilin and RansomHub.

Conclusion

SilverFox is a powerful example of the merger of espionage and financial cybercrime in 2025. The dual-motives, targeting the supply chain, and rapid advances on use of AI as disruptive assets make them an unpredictable and dangerously active actor.

Defensive Takeaways: