A spear-phishing campaign (targeted emails crafted to trick specific recipients into opening a malicious file) that began in April 2026 used a Microsoft-signed Windows kernel driver to switch off endpoint security products and hide its own processes on machines belonging to Japanese organizations, before installing a previously undocumented remote-access tool. The findings come from a report published on June 4, 2026 by the Cyber Emergency Center at Japanese security firm LAC, authored by Yoshihiro Ishikawa.
LAC assesses, at low-to-medium confidence, that the activity is linked to a China-aligned group it tracks as "Silver Fox." The firm is explicit that there is no decisive evidence to attribute the campaign conclusively to that group, so Silver Fox should be treated as a suspected, not confirmed, operator. The malware family names below (PXDropper, PoisonX, and 10FXRAT) are LAC's own designations drawn from code strings and a network protocol marker, not necessarily cross-vendor industry names.
How it works
According to LAC, the April wave used HR-themed lures (decoys impersonating recruitment or personnel messages). Victims were steered to malicious files hosted on Google Cloud Storage links, and a Windows shortcut (LNK) file abused the built-in curl.exe utility to fetch the next stage. That stage is a dropper LAC calls PXDropper, which runs anti-analysis checks (looking for virtual machines, debuggers, and sandboxes) before deploying two payloads: the PoisonX kernel driver and the 10FXRAT remote-access tool.
The PoisonX driver is the centerpiece. LAC says it is a custom-built kernel driver that nonetheless carried a legitimate Microsoft signature, with a debug path containing the string "PoisonX." Once loaded, it terminates security products (the endpoint detection-and-response tools security teams rely on) via a control code (IOCTL 0x22E010) and hides processes and network connections via another (IOCTL 0x22E008). The report lists roughly 43 targeted security products, including Microsoft Defender, CrowdStrike, Kaspersky, 360 Total Security, Huorong, Tencent PC Manager, and Kingsoft.
The 10FXRAT payload arrives through DLL side-loading (tricking a trusted program into loading a malicious library): the legitimate usoclient64.exe loads a loader DLL named dnssd.dll, which decrypts the real payload from a file called runtime.bin. LAC describes 10FXRAT as modular, with system reconnaissance reported as JSON, a remote shell (command 0x02), SOCKS5 reverse-proxy tunneling (routing attacker traffic through the victim machine to reach internal systems, command 0x30), and encrypted plugin loading (0x21). Its custom TCP protocol is identified by the magic number 0x58463031, which spells "10FX" in little-endian byte order.
How the campaign evolved
From May 2026, LAC says the operators shifted tactics. Instead of the custom PoisonX driver, they turned to BYOVD (bring-your-own-vulnerable-driver, where attackers load a legitimately signed but abusable driver), using ASUSTeK's signed EneIo64.sys and Microsoft Process Explorer's procexp.sys. They also added commands for mouse and keyboard emulation (0x08) and compressed data transfer (0x04). Targeting widened beyond Japan to organizations in China itself, even though the suspected operator is China-aligned. The earliest observed sample compilation timestamp is March 29, 2026. The pattern of spear-phishing Japanese targets echoes earlier China-linked activity such as the BlackTech operations against Japanese organizations.
Who is affected
The reported victims are organizations in Japan and, from May, in China. The technique is dangerous because signed drivers run in the kernel, the most privileged layer of Windows, letting the malware disable defenses other tooling relies on.
What you should do
LAC recommends hunting for auto-start and service entries (names such as Hid* and DevCfgCC) using Sysinternals Autoruns, and reviewing Windows Event ID 7045 for unexpected driver-service creation. Defenders should detect or block the "10FX" TCP protocol signature and known command-and-control addresses, mitigate BYOVD abuse of EneIo64.sys and procexp.sys, and pursue defense-in-depth: behavior-based EDR monitoring, network segmentation, and least-privilege access. Persistence in this campaign also relied on a Run registry key (value WinDiagTrack), files under %ProgramData%\Microsoft\WinDiagTrack, a persistent driver copy named DevCfgCC.sys, and a watcher service launcher. Sample command-and-control addresses cited by LAC include 38.76.177[.]39, 154.211.86[.]78, and 101.32.190[.]202. Full indicators are in the original report. For broader context on this activity, see our overview of China-linked state attacks.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.