Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China

Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China

Briefly

"The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China. The search engine optimization (SEO) poisoning campaign leverages Microsoft Teams lures to trick unsuspecting users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0), a known malware associated with the Chinese cybercrime group."

""This campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified 'ValleyRAT' loader containing Cyrillic elements - likely an intentional move to mislead attribution," ReliaQuest researcher Hayden Evans said in a report shared with The Hacker News. ValleyRAT, a variant of Gh0st RAT, allows threat actors to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-term persistence within targeted networks. It's worth noting that the use of Gh0st RAT is primarily attributed to Chinese hacking groups."

"The use of Teams for the SEO poisoning campaign marks a departure from prior efforts that have leveraged other popular programs like Google Chrome, Telegram, WPS Office, and DeepSeek to activate the infection chain. The SEO campaign is meant to redirect users to a bogus website that features an option to download the supposed Teams software. In reality, a ZIP file named "MSTчamsSetup.zip" is retrieved from an Alibaba Cloud URL. The archive utilizes Russian linguistic elements to confuse attribution efforts."