The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China.
The search engine optimization (SEO) poisoning campaign leverages Microsoft Teams lures to trick unsuspecting users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0), a known malware associated with the Chinese cybercrime group. The activity has been underway since November 2025.
"This campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified 'ValleyRAT' loader containing Cyrillic elements – likely an intentional move to mislead attribution," ReliaQuest researcher Hayden Evans said in a report shared with The Hacker News.
ValleyRAT, a variant of Gh0st RAT, allows threat actors to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-term persistence within targeted networks. It's worth noting that the use of Gh0st RAT is primarily attributed to Chinese hacking groups.
The use of Teams for the SEO poisoning campaign marks a departure from prior efforts that have leveraged other popular programs like Google Chrome, Telegram, WPS Office, and DeepSeek to activate the infection chain.
The SEO campaign is meant to redirect users to a bogus website that features an option to download the supposed Teams software. In reality, a ZIP file named "MSTчamsSetup.zip" is retrieved from an Alibaba Cloud URL. The archive utilizes Russian linguistic elements to confuse attribution efforts.
Present within the file is "Setup.exe," a trojanized version of Teams that's engineered to scan running processes for binaries related to 360 Total Security ("360tray.exe"), configure Microsoft Defender Antivirus exclusions, and write the trojanized version of the Microsoft installer ("Verifier.exe") to the "AppData\Local\" path and execute it.
The malware proceeds to write additional files, including "AppData\Local\Profiler.json," "AppData\Roaming\Embarcadero\GPUCache2.xml," "AppData\Roaming\Embarcadero\GPUCache.xml," and "AppData\Roaming\Embarcadero\AutoRecoverDat.dll."
In the next step, it loads data from "Profiler.json" and "GPUcache.xml," and launches the malicious DLL into the memory of "rundll32.exe," a legitimate Windows process, so as to fly under the radar. The attack moves to the final stage with the malware establishing a connection to an external server to fetch the final payload to facilitate remote control.
"Silver Fox's objectives include financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence for geopolitical advantage," ReliaQuest said. "Targets face immediate risks such as data breaches, financial losses, and compromised systems, while Silver Fox maintains plausible deniability, allowing it to operate discreetly without direct government funding."
The disclosure comes as Nextron Systems highlighted another ValleyRAT attack chain that uses a trojanized Telegram installer as the starting point to kick off a multi-stage process that ultimately delivers the trojan. This attack is also notable for leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to load "NSecKrnl64.sys" and terminate security solution processes.
"This installer sets a dangerous Microsoft Defender exclusion, stages a password-protected archive together with a renamed 7-Zip binary, and then extracts a second-stage executable," security researcher Maurice Fielenbach said.
"That second-stage orchestrator, men.exe, deploys additional components into a folder under the public user profile, manipulates file permissions to resist cleanup, and sets up persistence through a scheduled task that runs an encoded VBE script. This script in turn launches a vulnerable driver loader and a signed binary that sideloads the ValleyRAT DLL."
Men.exe is also responsible for enumerating running processes to identify endpoint security-related processes, as well as loading the vulnerable "NSecKrnl64.sys" driver using "NVIDIA.exe" and executing ValleyRAT. Furthermore, one of the key components dropped by the orchestrator binary is "bypass.exe," which enables privilege escalation by means of a User Account Control (UAC) bypass.
"On the surface, victims see a normal installer," Fielenbach said. "In the background, the malware stages files, deploys drivers, tampers with defenses, and finally launches a ValleyRat beacon that keeps long-term access to the system."
