The cybercrime group known as Silver Fox has initiated a deceptive SEO poisoning campaign aimed at organizations operating within China, particularly those with Chinese-speaking users. This operation is notable for its use of a false flag technique, incorporating Cyrillic and Russian linguistic elements to suggest involvement by a Russian threat actor. The campaign leverages lures related to Microsoft Teams, a common communication platform, to distribute its malware. The malicious activity, first identified in November 2025, attempts to redirect unsuspecting users who are searching for the legitimate Teams software to a fraudulent website.
The infection chain begins when a user downloads the supposed Teams software, which is a ZIP file named “MSTчamsSetup.zip” retrieved from an Alibaba Cloud URL. This archive’s Russian-themed naming convention is a core part of the attribution confusion tactic. Inside the ZIP file is “Setup.exe,” a trojanized version of the Teams installer. This executable is engineered to first check for security products, specifically looking for processes related to 360 Total Security. It then configures exceptions within Microsoft Defender Antivirus to ensure the malicious code can execute without interruption.
Following the initial compromise, the malware writes a trojanized version of the Microsoft installer, named “Verifier.exe,” to the local application data path and executes it. This process then writes several additional files, including “Profiler.json” and “GPUcache.xml.” The next step involves launching a malicious DLL into the memory of rundll32.exe, a legitimate Windows process. This technique, known as process injection or living-off-the-land, helps the malware remain stealthy and avoid detection by security software.
Once injected, the attack progresses to its final stage: establishing a connection with an external command-and-control server. The purpose of this connection is to fetch the final payload, which is ValleyRAT. ValleyRAT, a variant of the notorious Gh0st RAT primarily associated with Chinese hacking groups, gives the threat actors full remote control over the compromised systems. This allows them to exfiltrate sensitive data, execute arbitrary commands, and maintain persistent access for future malicious activities.
Silver Fox’s ultimate goal is believed to be financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence. The group benefits from the plausible deniability created by the Russian false flag, enabling them to operate with reduced scrutiny. The disclosure of this campaign coincides with reports of a separate ValleyRAT attack chain detailed by Nextron Systems, which uses a trojanized Telegram installer and incorporates the sophisticated Bring Your Own Vulnerable Driver (BYOVD) technique to load a vulnerable kernel driver and terminate security processes, highlighting the evolving tactics used by groups deploying this malware.
Reference:
