The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China.
The search engine optimization (SEO) poisoning campaign leverages Microsoft Teams lures to trick unsuspecting users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0), a known malware associated with the Chinese cybercrime group. The activity has been underway since November 2025.
“This campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified ‘ValleyRAT’ loader containing Cyrillic elements – likely an intentional move to mislead attribution,” ReliaQuest researcher Hayden Evans said in a report shared with The Hacker News.
ValleyRAT, a variant of Gh0st RAT, allows threat actors to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-term persistence within targeted networks. It’s worth noting that the use of Gh0st RAT is primarily attributed to Chinese hacking groups.
The use of Teams for the SEO poisoning campaign marks a departure from prior efforts that have leveraged other popular programs like Google Chrome, Telegram, WPS Office, and DeepSeek to activate the infection chain.
The SEO campaign is meant to redirect users to a bogus website that features an option to download the supposed Teams software. In reality, a ZIP file named “MSTчamsSetup.zip” is retrieved from an Alibaba Cloud URL. The archive utilizes Russian linguistic elements to confuse attribution efforts.
Present within the file is “Setup.exe,” a trojanized version of Teams that’s engineered to scan running processes for binaries related to 360 Total Security (“360tray.exe”), configure Microsoft Defender Antivirus exclusions, and write the trojanized version of the Microsoft installer (“Verifier.exe”) to the “AppData\Local\” path and execute it.
The malware proceeds to write additional files, including “AppData\Local\Profiler.json,” “AppData\Roaming\Embarcadero\GPUCache2.xml,” “AppData\Roaming\Embarcadero\GPUCache.xml,” and “AppData\Roaming\Embarcadero\AutoRecoverDat.dll.”
In the next step, it loads data from “Profiler.json” and “GPUcache.xml,” and launches the malicious DLL into the memory of “rundll32.exe,” a legitimate Windows process, so as to fly under the radar. The attack moves to the final stage with the malware establishing a connection to an external server to fetch the final payload to facilitate remote control.
“Silver Fox’s objectives include financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence for geopolitical advantage,” ReliaQuest said. “Targets face immediate risks such as data breaches, financial losses, and compromised systems, while Silver Fox maintains plausible deniability, allowing it to operate discreetly without direct government funding.”
The disclosure comes as Nextron…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
