threat actor known as silver fox In attacks targeting Chinese organizations, they were discovered to be orchestrating false flag operations that mimic Russian threat groups.
Search Engine Optimization (SEO) poisoning campaigns use Microsoft Teams lures to trick unsuspecting users into downloading malicious setup files, which lead to the deployment of ValleyRAT (Winos 4.0), a known malware associated with Chinese cybercrime groups. This activity has been implemented since November 2025.
“This campaign uses a modified ‘ValleyRAT’ loader containing Cyrillic elements to target Chinese-speaking users, including those within Western organizations operating in China. It is likely a deliberate move to mislead attribution,” ReliaQuest researcher Hayden Evans said in a report shared with The Hacker News.
ValleyRAT, a variant of Gh0st RAT, allows attackers to remotely control infected systems, extract sensitive data, execute arbitrary commands, and maintain long-term persistence within targeted networks. It is worth noting that the use of Gh0st RAT is primarily by Chinese hacker groups.
The use of Teams for SEO poisoning campaigns marks a departure from previous efforts that leveraged other popular programs such as Google Chrome, Telegram, WPS Office, and DeepSeek to fuel infection chains.
This SEO campaign aims to redirect users to a fake website with an option to download what is purported to be Teams software. A ZIP file named “MSTчamsSetup.zip” is actually retrieved from the Alibaba Cloud URL. The archive utilizes Russian elements to disrupt attribution efforts.
Inside the file is a trojanized version of Teams called ‘Setup.exe’. It is designed to scan running processes for binaries related to 360 Total Security (‘360tray.exe’), configure Microsoft Defender Antivirus exclusions, and write and run a trojanized version of the Microsoft installer (‘Verifier.exe’) to the ‘AppDataLocal’ path.
The malware starts writing additional files such as “AppDataLocalProfiler.json”, “AppDataRoamingEmbarcaderoGPUCache2.xml”, “AppDataRoamingEmbarcaderoGPUCache.xml”, and “AppDataRoamingEmbarcaderoAutoRecoverDat.dll”.
The next step is to fly under the radar by loading data from ‘Profiler.json’ and ‘GPUcache.xml’ and launching a malicious DLL into the memory of a legitimate Windows process, ‘rundll32.exe’. The attack progresses to the final stage, where the malware establishes a connection to an external server to retrieve the final payload and facilitate remote control.
“Silver Fox’s objectives include financial gain through theft, fraud, and fraud, in addition to collecting sensitive information to gain geopolitical advantage,” Lilliaquest said. “While targets face immediate risks such as data breaches, financial loss, and system compromise, SilverFox maintains plausible deniability and is able to operate discreetly without direct government funding.”
This disclosure comes as Nextron Systems highlights another ValleyRAT attack chain that uses a trojanized Telegram installer as a starting point to begin a multi-step process that ultimately distributes the Trojan. This attack is also known for using the Bring Your Own Vulnerable Driver (BYOVD) technique to load ‘NSecKrnl64.sys’ and terminate the security solution process.
“The installer sets dangerous Microsoft Defender exclusions, stages a password-protected archive with a renamed 7-Zip binary, and extracts the second stage executable,” said security researcher Maurice Fielenbach.
“The second-stage orchestrator, men.exe, deploys additional components to folders under the public user profile, manipulates file permissions to prevent cleanup, and sets persistence through a scheduled task that runs an encoded VBE script that launches a vulnerable driver loader and a signed binary that sideloads the ValleyRAT DLL.”
Men.exe is also responsible for enumerating running processes and identifying endpoint security-related processes. It also uses “NVIDIA.exe” to load the vulnerable “NSecKrnl64.sys” driver to run ValleyRAT. Additionally, one of the key components dropped by the Orchestrator binary is ‘bypass.exe’, which allows for privilege escalation via User Account Control (UAC) bypass.
“On the surface, the victim looks like a regular installer,” Fehrenbach said. “The malware stages files in the background, deploys drivers, tampers with defenses, and finally launches a ValleyRat beacon that maintains long-term access to the system.”
