A shocking revelation has come to light, exposing a cunning cyberattack orchestrated by the threat actor, Silver Fox. This malicious entity has been employing a clever ruse, masquerading as a Russian threat group, to target organizations in China. The campaign, which has been ongoing since November 2025, utilizes a sophisticated SEO poisoning strategy, luring unsuspecting users with Microsoft Teams as bait.
But here's where it gets controversial... Silver Fox's campaign is specifically designed to target Chinese-speaking users, including those working for Western organizations in China. The malware, known as ValleyRAT, contains Cyrillic elements, intentionally misleading attribution efforts and pointing fingers at Russia.
ValleyRAT, a variant of Gh0st RAT, grants threat actors remote control over infected systems, allowing them to steal sensitive data, execute commands, and maintain a persistent presence within targeted networks. The use of Gh0st RAT is predominantly associated with Chinese hacking groups, adding an intriguing layer to this story.
The choice of Microsoft Teams as the lure marks a departure from previous campaigns, which targeted popular programs like Google Chrome, Telegram, and others. This time, Silver Fox is leveraging the familiarity and trust associated with Teams to trick users into downloading a malicious setup file.
The SEO campaign redirects users to a bogus website, offering a download option for what appears to be Teams software. However, the reality is far more sinister. Users unknowingly download a ZIP file named "MSTчamsSetup.zip" from an Alibaba Cloud URL, which contains a trojanized version of Teams. This file, "Setup.exe," is engineered to scan for specific binaries and manipulate antivirus exclusions, ultimately executing the malware.
The malware then writes additional files, including "Profiler.json," "GPUCache.xml," and others, and loads data from these files to launch a malicious DLL into the memory of a legitimate Windows process, "rundll32.exe." This stealthy approach allows the malware to operate unnoticed.
In the final stage, the malware establishes a connection to an external server, fetching the ultimate payload to facilitate remote control. Silver Fox's objectives are clear: financial gain through theft and fraud, and the collection of sensitive intelligence for geopolitical advantage.
And this is the part most people miss... Silver Fox's tactics allow them to maintain plausible deniability, operating discreetly without direct government funding. This makes them a formidable and elusive threat.
The disclosure of this campaign comes alongside another report from Nextron Systems, highlighting a similar ValleyRAT attack chain that uses a trojanized Telegram installer as its starting point. This attack also employs the Bring Your Own Vulnerable Driver (BYOVD) technique, a sophisticated method to bypass security measures.
"This installer sets dangerous exclusions and stages files, creating a complex multi-stage process," explains security researcher Maurice Fielenbach. "The second-stage orchestrator, men.exe, deploys components, manipulates permissions, and sets up persistence through a scheduled task, ultimately launching the ValleyRAT DLL."
Men.exe is also responsible for identifying security-related processes and loading vulnerable drivers, further compromising the system. One key component, "bypass.exe," enables privilege escalation by bypassing User Account Control (UAC) restrictions.
"Victims see a normal installer, but in the background, the malware is hard at work, deploying drivers, tampering with defenses, and granting long-term access to the system," Fielenbach adds.
This complex and multi-layered attack showcases the sophistication and determination of threat actors like Silver Fox. As we navigate the ever-evolving landscape of cybersecurity, it's crucial to stay vigilant and informed.
Have you ever encountered a similar cyberattack? Share your thoughts and experiences in the comments below. We'd love to hear your insights and continue the conversation on this important topic.
