The cybercriminal group known as Silver Fox has been identified orchestrating a “false flag” operation to imitate a Russian threat group. This tactic seeks to camouflage its attacks directed at organizations in China.
The SEO poisoning campaign uses Microsoft Teams lures to trick unsuspecting users into downloading a malicious installation file. This file eventually deploys ValleyRAT (Winos 4.0), a malware associated with Chinese cybercrime groups. The activity has been taking place since November 2025.
The Use of False Flags to Evade Attribution
ReliaQuest, the security research firm that discovered the campaign, notes that attackers are using Cyrillic elements in the modified ValleyRAT uploader to throw off attribution efforts. The main objective of the campaign is to target Chinese-speaking users, including those who work in Western organizations with operations in China.
ValleyRAT, a variant of Gh0st RAT, allows attackers to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-term persistence on target networks. Importantly, the use of Gh0st RAT is mainly attributed to Chinese hacking groups.
Microsoft Teams Lure Infection Chain
The SEO poisoning campaign redirects users to a fake website offering to download supposed Teams software. Instead, a malicious ZIP file called “MSTчamsSetup.zip” is downloaded, which intentionally uses Russian linguistic elements to confuse attribution.
The detailed infection chain is as follows:
- Initial Download: The user downloads “MSTчamsSetup.zip” from an Alibaba Cloud URL.
- Execution of the Trojan: The ZIP file contains “Setup.exe”, a trojanized version of Teams. This executable scans processes for “360tray.exe” (related to 360 Total Security) and configures exclusions in Microsoft Defender Antivirus.
- Component Deployment: The malware writes a trojanized version of the Microsoft installer (“Verifier.exe”) to the path “AppData\Local" and executes it.
- Persistence and Evasion: The malware proceeds to write additional files, such as “AutoRecoverDat.dll”, and load data from “Profiler.json” and “GPUcache.xml”. It then launches the malicious DLL into the memory of the legitimate Windows process “rundll32.exe” to evade detection.
- Final Payload: The attack culminates with the malware establishing a connection with an external server to obtain the final payload, facilitating remote control of the system.
Silver Fox Objectives and Associated Risks
Silver Fox’s objectives include obtaining financial gain through theft, scams and fraud, as well as collecting sensitive intelligence for geopolitical advantage. The false flag tactic allows the threat actor to operate discreetly and maintain plausible deniability of their actions.
Another Campaign with ValleyRAT: The Telegram and BYOVD Lure
Nextron Systems has documented another ValleyRAT attack chain that uses a trojanized Telegram installer as a starting point. This campaign also employs advanced techniques to evade security, highlighting the use of the Bring Your Own Vulnerable Driver (BYOVD) technique.
- Component Deployment: The trojanized installer configures dangerous exclusions in Microsoft Defender and deploys a second-stage executable (“men.exe”) to the user’s public profile.
- Security Bypass with BYOVD: “men.exe” is responsible for enumerating security processes, loading the vulnerable driver “NSecKrnl64.sys” via “NVIDIA.exe” and running ValleyRAT.
- Privilege Escalation: The “bypass.exe” component facilitates a User Account Control (UAC) bypass for privilege escalation.
- Advanced Persistence: Persistence is established through a scheduled task that executes a coded VBE script.
These two campaigns demonstrate Silver Fox’s sophistication in using Trojans, evasion techniques (including BYOVD and UAC bypass), and false flags to carry out its cyberespionage and cybercrime objectives.
References
*ReliaQuest: Hayden Evans
- Nextron Systems: Maurice Fielenbach
- Malware: ValleyRAT (Winos 4.0), Gh0st RAT
- Techniques: SEO poisoning, BYOVD (Bring Your Own Vulnerable Driver), UAC bypass.