- The threat group Silver Fox is conducting a false flag campaign mimicking Russian actors to target organizations in China.
- The attack uses SEO poisoning with fake Microsoft Teams installers to distribute ValleyRAT Malware since November 2025.
- ValleyRAT, a variant of Gh0st RAT, enables remote control, data theft, and persistence on infected systems.
- The campaign’s malicious files include Russian-language elements to mislead attribution efforts.
- A related ValleyRAT campaign leverages a trojanized Telegram installer and a vulnerable driver to bypass security.
The Hacking group Silver Fox has deployed a deceptive attack campaign since November 2025 targeting Chinese-speaking users, including employees of Western organizations operating in China. The operation impersonates a Russian threat actor by using a search engine optimization (SEO) poisoning technique that leads victims to download a malicious Microsoft Teams setup file.
The downloaded ZIP archive, named “MSTчamsSetup.zip,” is hosted on an Alibaba Cloud URL and contains a trojanized Teams installer (“Setup.exe”). This modified installer scans for security software, alters Microsoft Defender Antivirus settings, and executes a trojanized Microsoft installer named “Verifier.exe” from the user’s AppData folder. Additional files are dropped and loaded into the legitimate Windows process “rundll32.exe” to evade detection. This chain culminates in connecting to an external server to retrieve the final payload that installs the ValleyRAT malware.
ValleyRAT is a remote access trojan (RAT) derived from Gh0st RAT, a malware family mostly linked to Chinese cybercrime groups. It permits attackers to control infected systems remotely, exfiltrate sensitive data, execute commands, and maintain persistence within networks. The attackers incorporated Cyrillic characters in the loader as a deliberate ploy to confuse investigators and misdirect blame, as noted by researcher Hayden Evans in a report shared with The Hacker News.
In a separate but related incident, another ValleyRAT infection chain was uncovered employing a trojanized Telegram installer as its initial vector. This attack advances by deploying a vulnerable driver named “NSecKrnl64.sys,” loaded via a signed binary, which disables security processes and establishes long-term access. Security researcher Maurice Fielenbach detailed that this campaign stages files and uses User Account Control (UAC) bypass methods to escalate privileges and maintain system persistence through scheduled tasks and encoded scripts, as reported here.
The motive behind Silver Fox‘s operations includes financial profit through theft and fraud, alongside the gathering of sensitive intelligence for geopolitical aims. The group maintains plausible deniability to operate discreetly without official state sponsorship or direct government funding.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
