BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Silver Fox Mimics Russian Hackers in Microsoft Teams Malware Attack

Silver Fox launches false flag SEO poisoning attacks in China using trojanized Microsoft Teams installers to distribute ValleyRAT malware with Russian misdirection tactics

  • The threat group Silver Fox is conducting a false flag campaign mimicking Russian actors to target organizations in China.
  • The attack uses SEO poisoning with fake Microsoft Teams installers to distribute ValleyRAT Malware since November 2025.
  • ValleyRAT, a variant of Gh0st RAT, enables remote control, data theft, and persistence on infected systems.
  • The campaign’s malicious files include Russian-language elements to mislead attribution efforts.
  • A related ValleyRAT campaign leverages a trojanized Telegram installer and a vulnerable driver to bypass security.

The Hacking group Silver Fox has deployed a deceptive attack campaign since November 2025 targeting Chinese-speaking users, including employees of Western organizations operating in China. The operation impersonates a Russian threat actor by using a search engine optimization (SEO) poisoning technique that leads victims to download a malicious Microsoft Teams setup file.

- Advertisement -

The downloaded ZIP archive, named “MSTчamsSetup.zip,” is hosted on an Alibaba Cloud URL and contains a trojanized Teams installer (“Setup.exe”). This modified installer scans for security software, alters Microsoft Defender Antivirus settings, and executes a trojanized Microsoft installer named “Verifier.exe” from the user’s AppData folder. Additional files are dropped and loaded into the legitimate Windows process “rundll32.exe” to evade detection. This chain culminates in connecting to an external server to retrieve the final payload that installs the ValleyRAT malware.

ValleyRAT is a remote access trojan (RAT) derived from Gh0st RAT, a malware family mostly linked to Chinese cybercrime groups. It permits attackers to control infected systems remotely, exfiltrate sensitive data, execute commands, and maintain persistence within networks. The attackers incorporated Cyrillic characters in the loader as a deliberate ploy to confuse investigators and misdirect blame, as noted by researcher Hayden Evans in a report shared with The Hacker News.

In a separate but related incident, another ValleyRAT infection chain was uncovered employing a trojanized Telegram installer as its initial vector. This attack advances by deploying a vulnerable driver named “NSecKrnl64.sys,” loaded via a signed binary, which disables security processes and establishes long-term access. Security researcher Maurice Fielenbach detailed that this campaign stages files and uses User Account Control (UAC) bypass methods to escalate privileges and maintain system persistence through scheduled tasks and encoded scripts, as reported here.

The motive behind Silver Fox‘s operations includes financial profit through theft and fraud, alongside the gathering of sensitive intelligence for geopolitical aims. The group maintains plausible deniability to operate discreetly without official state sponsorship or direct government funding.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Bitcoin Creator Back Warns BIP-110 Data Limit Could Split Network

Adam Back said Bitcoin has "robustly rejected" BIP-110, arguing the proposal conflicts with the...

Must Read

7 Best Audiobooks on Cybersecurity

Cybersecurity has become an essential topic in our increasingly digital world. As technology evolves and becomes more integrated into our daily lives, the importance...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading