Silver Fox’s Deceptive Tactics: Fake Microsoft Teams Installers Deploy ValleyRAT Malware in China
In a sophisticated cyber-espionage campaign, the threat actor known as Silver Fox has been identified leveraging counterfeit Microsoft Teams installers to disseminate the ValleyRAT malware across Chinese organizations. This operation, active since November 2025, employs search engine optimization (SEO) poisoning to lure unsuspecting users into downloading malicious software under the guise of legitimate applications.
Deceptive Distribution via SEO Poisoning
Silver Fox’s strategy involves manipulating search engine results to direct users to fraudulent websites that mimic legitimate Microsoft Teams download pages. Once on these sites, users are prompted to download a ZIP file named MSTчamsSetup.zip from an Alibaba Cloud URL. Notably, the inclusion of Cyrillic characters in the file name appears to be a deliberate attempt to mislead attribution efforts, suggesting a Russian origin.
Malware Deployment Mechanism
The downloaded archive contains a trojanized Setup.exe file, which, upon execution, performs several malicious actions:
– Security Evasion: The installer scans for processes related to 360 Total Security (360tray.exe) and configures Microsoft Defender Antivirus exclusions to avoid detection.
– Persistence Establishment: It writes a modified Microsoft installer (Verifier.exe) to the AppData\Local\ directory and executes it, ensuring the malware remains active on the system.
– Additional Payloads: The malware creates several files, including Profiler.json, GPUCache2.xml, GPUCache.xml, and AutoRecoverDat.dll, which are instrumental in the subsequent stages of the attack.
Execution and Remote Control
The malicious DLL is loaded into the memory of rundll32.exe, a legitimate Windows process, to evade detection. This process establishes a connection to an external server, facilitating the download and execution of the final payload—ValleyRAT.
ValleyRAT Capabilities
ValleyRAT, a variant of the Gh0st RAT malware, equips attackers with extensive control over compromised systems, including:
– Remote Command Execution: Enables the execution of arbitrary commands on the infected machine.
– Data Exfiltration: Allows unauthorized access and extraction of sensitive information.
– System Monitoring: Facilitates the surveillance of user activities and system processes.
– Persistence Maintenance: Ensures the malware remains active and undetected over extended periods.
Attribution and Misleading Tactics
The incorporation of Cyrillic elements in the malware’s components is likely an intentional move by Silver Fox to mislead attribution efforts, diverting suspicion towards Russian threat actors. This tactic underscores the group’s sophistication in conducting false flag operations to obscure their true origins.
Broader Implications and Related Campaigns
Silver Fox’s activities are not isolated incidents. The group has a history of employing similar tactics, such as using fake websites advertising popular software like WPS Office, Sogou, and DeepSeek to deliver malware payloads, including Sainbox RAT and the Hidden rootkit. These campaigns often target Chinese-speaking users, indicating a strategic focus on this demographic.
In another related campaign, Silver Fox utilized trojanized Telegram installers to initiate multi-stage attacks that ultimately deployed ValleyRAT. This approach also involved the Bring Your Own Vulnerable Driver (BYOVD) technique to load NSecKrnl64.sys and terminate security solution processes, further demonstrating the group’s advanced capabilities in evading detection and maintaining persistence.
Conclusion
The Silver Fox group’s use of counterfeit Microsoft Teams installers to spread ValleyRAT malware highlights the evolving nature of cyber threats and the importance of vigilance among users and organizations. By exploiting trusted platforms and employing sophisticated evasion techniques, such threat actors pose significant risks to data security and system integrity. It is imperative for individuals and organizations to exercise caution when downloading software, ensuring sources are legitimate and verified, to mitigate the risk of malware infections.
