The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China.
SEO Poisoning and False Flag Tactic
The campaign, active since November 2025, uses search engine optimization (SEO) poisoning techniques combined with Microsoft Teams lures. The goal is to trick Chinese speaking users, including those within Western organizations operating in China, into downloading a malicious setup file.
The malicious download ultimately leads to the deployment of ValleyRAT (Winos 4.0), a known remote access trojan associated with the Chinese cybercrime group. ReliaQuest researchers noted that the campaign uses a modified ValleyRAT loader containing Cyrillic elements, which is likely an intentional move to mislead attribution and frame the attack as Russian in origin. The use of Gh0st RAT variants like ValleyRAT is primarily attributed to Chinese hacking groups.
The use of Microsoft Teams for the SEO poisoning campaign marks a shift from prior efforts that leveraged other popular programs like Google Chrome, Telegram, and WPS Office to initiate the infection chain.
Infection Chain and Malware Deployment
The SEO campaign redirects users to a bogus website that features an option to download the supposed Teams software. In reality, a ZIP file named "MSTчamsSetup.zip" is retrieved from an Alibaba Cloud URL. The archive utilizes Russian linguistic elements to further confuse attribution efforts.
Inside the file is "Setup.exe," a trojanized version of Teams. This trojan is engineered to scan running processes for binaries related to 360 Total Security ("360tray.exe"), configure Microsoft Defender Antivirus exclusions, and write the trojanized Microsoft installer ("Verifier.exe") to the AppData\Local\ path and execute it.
The malware then stealthily loads a malicious DLL into the memory of rundll32.exe, a legitimate Windows process, to evade detection. The attack moves to the final stage by establishing a connection to an external server to fetch the final ValleyRAT payload, facilitating remote control.
ValleyRAT allows threat actors to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long term persistence within targeted networks. ReliaQuest notes that Silver Fox's objectives include financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence.
Overlapping ValleyRAT Attacks
This disclosure comes as Nextron Systems highlighted another ValleyRAT attack chain that uses a trojanized Telegram installer as the starting point. This second attack is notable for
leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to load a kernel driver ("NSecKrnl64.sys") and terminate security solution processes.
This multi stage installer sets a dangerous Microsoft Defender exclusion, deploys components, manipulates file permissions to resist cleanup, and sets up persistence through a scheduled task. This orchestration ultimately launches the ValleyRAT beacon, maintaining long term access to the compromised system.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
