Silver Fox Campaign: Fake Microsoft Teams Installer Delivers ValleyRAT in China

December 5, 2025 Faeem BLOGS 0

A new SEO poisoning campaign attributed to the threat actor Silver Fox is targeting Chinese-speaking users and organizations operating in China. The attackers are distributing a trojanized Microsoft Teams installer that ultimately deploys ValleyRAT (Winos 4.0), a remote access trojan linked to Chinese cybercrime groups.

Key Characteristics of the Campaign

  • False flag tactics:
    • Loader contains Cyrillic elements to mislead attribution, mimicking Russian threat groups.
  • Delivery method:
    • SEO poisoning redirects victims to a fake Teams download site.
    • Victims receive a ZIP archive (MSTчamsSetup.zip) hosted on Alibaba Cloud.
  • Trojanized installer behavior:
    • Scans for 360 Total Security processes (360tray.exe).
    • Configures Microsoft Defender exclusions.
    • Drops a modified installer (Verifier.exe) into AppData\Local\.
    • Writes multiple files (Profiler.json, GPUCache.xml, AutoRecoverDat.dll) to disguise activity.
    • Injects malicious DLL into rundll32.exe for stealth execution.
    • Establishes C2 connection to fetch the final ValleyRAT payload.

ValleyRAT Capabilities

  • Variant of Gh0st RAT, long associated with Chinese groups.
  • Provides attackers with:
    • Remote control of infected systems.
    • Data exfiltration.
    • Arbitrary command execution.
    • Long-term persistence.

Related Attack Chains

  • Trojanized Telegram installer:
    • Uses BYOVD (Bring Your Own Vulnerable Driver) with NSecKrnl64.sys to disable security processes.
    • Deploys orchestrator (men.exe) that:
      • Extracts staged executables via password-protected archives.
      • Sets persistence through scheduled tasks and encoded VBE scripts.
      • Loads ValleyRAT DLL via sideloading.
      • Drops bypass.exe for UAC bypass and privilege escalation.
  • Victims see a normal installer interface, while malware silently stages files, tampers with defenses, and launches ValleyRAT beacons.

Objectives of Silver Fox

  • Financial gain: theft, scams, fraud.
  • Geopolitical intelligence collection: targeting organizations in China, including Western firms operating locally.
  • Plausible deniability: false flag elements allow operations without direct attribution to state sponsorship.

Defensive Recommendations

  • User awareness:
    • Warn employees against downloading installers from search results.
    • Verify software sources directly from vendor sites.
  • Endpoint monitoring:
    • Detect suspicious Defender exclusions and rundll32 DLL injections.
    • Hunt for artifacts (Profiler.json, GPUCache.xml, AutoRecoverDat.dll).
  • Network defense:
    • Monitor outbound connections to suspicious Alibaba Cloud URLs or C2 infrastructure.
  • Patch and harden:
    • Ensure BYOVD vulnerabilities are mitigated; block unsigned or vulnerable driver loading.
  • Incident response:
    • If ValleyRAT is detected, assume persistence and privilege escalation; isolate and reimage affected systems.

Final Thought

Silver Fox’s campaign demonstrates how SEO poisoning + false flag tactics can combine to deliver powerful RATs like ValleyRAT while confusing attribution. Organizations in China — especially Western firms — should treat fake installer lures as high-risk vectors and strengthen defenses against DLL injection, BYOVD exploitation, and malicious persistence mechanisms.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.