The threat actor known as Silver Fox has been running an SEO poisoning campaign since November 2025 that uses fake Microsoft Teams installers to target organisations in China, including Chinese-speaking staff at Western companies. ReliaQuest researcher Hayden Evans said the campaign intentionally incorporates Cyrillic elements in a modified loader to mislead attribution.
The campaign redirects users to a bogus website offering a Teams download. A ZIP archive named “MSTчamsSetup.zip” is retrieved from an Alibaba Cloud URL and contains “Setup.exe”, a trojanised Teams installer that scans for the 360 Total Security process “360tray.exe”, configures Microsoft Defender exclusions, and writes a trojanised Microsoft installer “Verifier.exe” to the AppData\Local\ path before executing it.
The malware drops additional files such as AppData\Local\Profiler.json and AppData\Roaming\Embarcadero\AutoRecoverDat.dll, loads data from those files and injects a malicious DLL into the memory of the legitimate “rundll32.exe” process. It then connects to an external server to fetch a final payload that enables remote control. ReliaQuest said that ValleyRAT, a variant of Gh0st RAT, can be used to exfiltrate data, execute commands and maintain persistence.
ReliaQuest said Silver Fox appears motivated by financial gain through theft, scams and fraud, as well as the collection of sensitive intelligence for geopolitical advantage, and that the group’s use of false flags provides plausible deniability while allowing it to operate without direct government funding. Targets face risks including data breaches, financial losses and long-term compromise of systems.
Separately, Nextron Systems highlighted a related ValleyRAT chain that starts with a trojanised Telegram installer and uses a Bring Your Own Vulnerable Driver technique to load “NSecKrnl64.sys”. Researcher Maurice Fielenbach said the second-stage orchestrator “men.exe” deploys components under the public user profile, alters permissions to resist cleanup, establishes persistence via a scheduled task that runs an encoded VBE script, loads a vulnerable driver with a signed binary, and launches the ValleyRAT DLL.
Security researchers warn that victims may see what appears to be a normal installer while the payload stages drivers, tampers with defenses and establishes long-term access.