Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China

Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China

Silver Fox, a threat actor, has orchestrated a false flag campaign using a fake Microsoft Teams installer to deliver ValleyRAT (Winos 4.0) malware. The attack, active since November 2025, exploits SEO poisoning to redirect users to a malicious Alibaba Cloud URL hosting a trojanized installer.

Why This Matters

The campaign highlights the gap between ideal endpoint security and real-world evasion tactics. Despite Microsoft Defender exclusions and process obfuscation (e.g., embedding malware in rundll32.exe), ValleyRAT achieves persistence by leveraging Cyrillic obfuscation and driver-based payload delivery. The attack’s sophistication—combining social engineering, process injection, and UAC bypass—demonstrates how adversaries exploit both technical and human vulnerabilities.

Key Insights

• “ValleyRAT (Winos 4.0) used in 2025 campaign”: ReliaQuest report (2025)
• “SEO poisoning over phishing for broader reach”: Targeting Chinese-speaking users via search engine manipulation
• “Alibaba Cloud URL hosting malicious ZIP”: Attack vector includes “MSTчamsSetup.zip” with Russian linguistic elements

Practical Applications

• Use Case: Chinese cybercrime groups using ValleyRAT for data exfiltration and geopolitical intelligence gathering
• Pitfall: Overlooking Cyrillic obfuscation in threat attribution, leading to misdirected incident response

References:

• https://thehackernews.com/2025/12/silver-fox-uses-fake-microsoft-teams.html