Skip to content

News
Cybercrime
Risk
Policy
Privacy
Research
Cloud
Insurance

LinkedIn
Facebook

Gh0st RAT

Silver Fox uses fake Microsoft Teams installers in false-flag ValleyRAT campaign

Cybercrime, Research, Risk

December 5, 2025

Security researchers report that the Silver Fox group has run an SEO poisoning campaign since November 2025 that uses fake Microsoft Teams installers to deliver ValleyRAT to organisations in China; technical analysis from ReliaQuest and Nextron Systems details layered infection chains, false-flag indicators and the use of vulnerable drivers.
Dragon Breath uses RONINGLOADER to deliver modified Gh0st RAT to Chinese-speaking users

Cybercrime, Research, Risk

November 17, 2025

Researchers say the Dragon Breath group used a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users, employing signed drivers, WDAC policy changes, PPL abuse and multi-stage NSIS installers to evade security products and deploy remote access capabilities.

About
Editorial Policy
Privacy
Contact