Silver Fox Uses Fake Microsoft Teams Installer To Spread Valleyrat...

The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China.

The search engine optimization (SEO) poisoning campaign leverages Microsoft Teams lures to trick unsuspecting users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0), a known malware associated with the Chinese cybercrime group. The activity has been underway since November 2025.

"This campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified 'ValleyRAT' loader containing Cyrillic elements – likely an intentional move to mislead attribution," ReliaQuest researcher Hayden Evans said in a report shared with The Hacker News.

ValleyRAT, a variant of Gh0st RAT, allows threat actors to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-term persistence within targeted networks. It's worth noting that the use of Gh0st RAT is primarily attributed to Chinese hacking groups.

The use of Teams for the SEO poisoning campaign marks a departure from prior efforts that have leveraged other popular programs like Google Chrome, Telegram, WPS Office, and DeepSeek to activate the infection chain.

The SEO campaign is meant to redirect users to a bogus website that features an option to download the supposed Teams software. In reality, a ZIP file named "MSTчamsSetup.zip" is retrieved from an Alibaba Cloud URL. The archive utilizes Russian linguistic elements to confuse attribution efforts.

Present within the file is "Setup.exe," a trojanized version of Teams that's engineered to scan running processes for binaries related to 360 Total Security ("360tray.exe"), configure Microsoft Defender Antivirus exclusions, and write the trojanized version of the Microsoft installer ("Verifier.exe") to the "AppData\Local\" path and execute it.

The malware proceeds to write additional files, including "AppData\Local\Profiler.json," "AppData\Roaming\Embarcadero\GPUCache2.xml," "AppData\Roaming\Embarcadero\GPUCache.xml," and "AppData\Roaming\Embarcadero\AutoRecoverDat.dll."

In the next step, it loads data from "Profiler.json" and "GPUcache.xml," and launches the malicious DLL into the memory of "rundll32.exe," a legitimate Windows process, so as to fly under the radar. The attack moves to the final stage with the malware establishing a connection to an extern

Source: The Hacker News