Key Points:
The Chinese advanced persistent threat (APT) group "Silver Fox" has used false flags, such as Cyrillic characters, to impersonate a Russian threat group while launching a Microsoft Teams search engine optimization (SEO) poisoning campaign targeting organizations in China.
Silver Fox is deploying "ValleyRAT" malware to achieve two objectives: conducting state-sponsored espionage for sensitive intelligence and engaging in financial fraud and theft to fund its operations.
CISOs with global operations, especially those with offices in China, should proactively assess threats to international locations and implement the recommended mitigations to defend against Silver Fox, such as enabling logging of PowerShell and Rundll32 events.
ReliaQuest has assessed with high confidence that an ongoing search engine optimization (SEO) poisoning campaign impersonating Microsoft Teams is the work of the Chinese advanced persistent threat (APT) group “Silver Fox,” (aka Void Arachne) despite false indicators suggesting a Russian threat actor. Active since November 2025, this campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified “ValleyRAT” loader containing Cyrillic elements—likely an intentional move to mislead attribution. Overlapping infrastructure with previous campaigns further indicates its ties to Silver Fox.
Organizations with Chinese-speaking employees, regardless of sector, face an elevated risk from this campaign. By impersonating a Chinese top-level domain (TLD), the attackers specifically target these users. Silver Fox poses a significant threat due to its dual mission: conducting state-sponsored espionage while engaging in cybercrime to fund operations. Silver Fox’s objectives include financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence for geopolitical advantage. Targets face immediate risks such as data breaches, financial losses, and compromised systems, while Silver Fox maintains plausible deniability, allowing it to operate discreetly without direct government funding.i This campaign highlights Silver Fox's evolving tactics and continuous updates to ValleyRAT—a remote access trojan (RAT) historically associated with Chinese APT groups. ValleyRAT enables attackers to remotely control infected systems, exfiltrate sensitive data, execute arbitrary commands, and maintain long-term persistence within targeted networks.
In this report, we’ll detail the campaign and outline proactive steps your security team can take to defend against this threat. Here's what we'll cover:
Modifications to the ValleyRAT loader, including the addition of Russian linguistic elements and the use of XML and JSON files for binary data retrieval.
The infrastructure supporting this campaign and its connections to previous Silver Fox attacks.
An analysis of competing hypotheses (ACH) to explain how this campaign was attributed to Silver Fox.
Steps your organization can take to mitigate this threat and how ReliaQuest can support your defense efforts.
Bad Team Spirit: Inside the New SEO Poisoning Attack
This campaign introduces a modified ValleyRAT loader, starting with a ZIP file named “MSTчamsSetup.zip” that includes Cyrillic characters and an executable (see Figure 1) entirely in Russian. These elements are likely added to impersonate a Russian threat actor, mislead attribution, and confuse incident response efforts.
Figure 1: Verifier application in Russian
The Microsoft Teams Lure
Silver Fox, previously known for using SEO poisoning to impersonate applications like Telegram and Chrome, has shifted focus to a fake Microsoft Teams application and website in this campaign. The malware is hosted on the domain “teamscn[.]com,” which incorporates “cn” in a typo-squatting attack that specifically targets Chinese-speaking users (see Figure 2).
Figure 2: Fake Microsoft Teams website targeting Chinese-speaking users
In March 2025, the domain teamscn[.]com was updated with the HTML title “Teams downloads - Download the Microsoft Teams desktop and mobile apps” to impersonate a legitimate Microsoft Teams application, marking the campaign's initial creation. In early November 2025, the title was subtly changed again to remove the “s” in “downloads,” making it appear more authentic. Shortly after, infection attempts were observed, signaling the campaign's activation.
When the fake Teams software is downloaded, a ZIP file is delivered from the Alibaba Cloud storage location “shuangkg[.]oss-cn-hongkong[.]aliyuncs[.]com,” containing the ValleyRAT malware.
The ValleyRAT Execution Chain
The malicious ZIP file contains an executable named “Setup.exe,” a trojanized version of Microsoft Teams that, when executed, runs the following commands:
Command | Detail |
cmd /c tasklist | findstr /I "360[Tt]ray\.exe" | Lists all running processes and searches for 360Tray.exe or 360tray.exe—components of 360 Total Security, a popular antivirus software in China developed by Qihoo 360 Technology. Malware often uses this tactic to identify active security tools and adjust its behavior, further demonstrating the campaign’s intention to target users located in China. |
powe""r""s""h""ell.exe -Ex""ec""uti""o""nPol""ic""y By""pa""s""s -C""om""ma""n""d Ad""d""- M""pPr""ef""ere""nce -Ex""cl""usion"" Path C:\, D:\,E:\,F:\ | Modifies the Windows Defender exclusion list so antivirus software is prevented from scanning specified drive paths. By excluding entire drives, the malware ensures that its malicious files can execute without being flagged or removed by antivirus tools. |
Verifier.exe | This file is written to the AppData\Local\ path and executed. This file is a trojanized version of the Microsoft installer for the 32-bit C++ redistributable library, which is essential for running 32-bit applications. Notably, the application is in Russian (see Figure 1) and reads binary data from the file Profiler.json during execution. |
Meanwhile, the Setup.exe program further complicates detection by mimicking legitimate software. It writes files to a directory named "Embarcadero," the name of a legitimate integrated development environment (IDE) and creates a genuine Microsoft Teams application and desktop shortcut to deceive users and security personnel.
Additional files are written to the following locations:
AppData\Local\Profiler.json
AppData\Roaming\Embarcadero\GPUCache2.xml
AppData\Roaming\Embarcadero\GPUCache.xml
AppData\Roaming\Embarcadero\AutoRecoverDat.dll
After creating the files on the device, the malware exhibits new behavior by loading binary data from the files Profiler.json and GPUcache.xml, and then executing the DllRegisterServer function within the malicious AutoRecoverDat.dll file. This function uses Binary Proxy Execution, a technique that loads the malicious Dynamic Link Library (DLL) file into the memory of rundll32.exe, a legitimate Windows process. By doing so, the malware blends into normal system operations, making detection more difficult.
The rundll32.exe process then establishes an outbound connection to the domain "Ntpckj[.]com" (IP address 134.122.128[.]131) over port 18852, a port previously observed in other ValleyRAT campaigns. This connection downloads the final payload, enabling the attacker to establish command and control (C2).
Figure 3: Evolved ValleyRAT infection chain
Organizations without sufficient security controls, such as EDR, Windows event logging, or PowerShell logging, are particularly vulnerable to this attack chain. Through the Binary Proxy Execution technique, the malware disguises itself as a trusted Windows process by loading malicious DLLs into rundll32.exe, avoiding detection in environments without proper monitoring of this rundll32 behavior. Additionally, PowerShell commands further weaken defenses by modifying antivirus exclusion paths, allowing the malware to remain undetected unless these modifications are monitored closely.
Behind the Ruse: Connecting the Dots to Silver Fox
Attribution of this campaign to Silver Fox highlights the group’s ongoing mission to target organizations in China for financial gain while deflecting blame to other threat actors. This tactic not only obscures the group’s involvement but also signals that such attacks will almost certainly continue. For organizations in targeted regions, knowing who is responsible, why the attack is occurring, and how it is being executed provides essential context for improving defenses.
While the use of Cyrillic in this campaign is likely deliberate due to Cyrillic even being present in the ZIP filename, the following evidence links this campaign to Silver Fox and its previous operations:
A hash search of the website's background image (see Figure 2) uncovered 20 related domains. These domains previously hosted fake Telegram sites in March 2025, targeting Chinese-speaking users—activity consistent with a past Silver Fox campaign.ii
An investigation into C2 servers with the same open ports identified 18 additional servers, all hosted by CTG Server LTD, a provider previously used by Silver Fox in attacks.
The updated ValleyRAT malware demonstrates Silver Fox’s commitment to refining its techniques to deceive security personnel and researchers. These updates likely allow the group to execute financially motivated attacks with greater autonomy. Furthermore, the identification of additional C2 servers likely indicates a broader operation, suggesting the group’s plentiful resources and intent to sustain and expand future attacks.
Competing Hypotheses: Why Not Russia?
To evaluate whether Russian cybercriminals or nation-linked groups could be behind this campaign, we conducted an ACH. The results of our analysis strongly supported Silver Fox’s involvement, as demonstrated by the overlaps in infrastructure, links to previous campaigns, and the use of ValleyRAT malware. These findings provide high confidence in attributing the attack to Silver Fox, despite the group’s efforts to mislead attribution.
Evidence | Silver Fox | Russian Ransomware Affiliate | Russian Nation-State Entity |
Targeting Organizations in China | + | + | + |
Use of ValleyRAT | ++ | -- | -- |
Telegram SEO Poisoning | ++ | ++ | -- |
Alibaba Cloud for Infrastructure | ++ | -- | -- |
RunDLL32 Execution Proxy | ++ | ++ | ++ |
Use of False Flags | - | - | ++ |
Use of CTG Server LTD | ++ | -- | -- |
Key:
++: Evidence strongly supports the hypothesis and is highly consistent with the threat cluster’s known behavior.
+: Evidence somewhat supports the hypothesis but is not definitive or conclusive.
– : Evidence weakly contradicts the hypothesis but does not strongly disprove it.
- -: Evidence strongly contradicts the hypothesis and is highly inconsistent with the threat cluster’s known behavior.
Step Up Your Defenses Against Silver Fox
The following recommendations are tailored to help your organization identify and defend against Silver Fox’s attacks, while also providing mitigations from threats that use similar techniques.
ReliaQuest’s Approach
GreyMatter Discover: The ValleyRAT malware can exploit systems lacking sufficient logging, such as Windows event logs or PowerShell logging. GreyMatter Discover provides continuous visibility for log collection and alerting by identifying these vulnerable systems across your environment.
Agentic AI: ReliaQuest’s detection rules cover ValleyRAT’s techniques and, when combined with GreyMatter’s agentic AI, enable organizations to rapidly detect, contain, and respond to attacks by Silver Fox. This automation eliminates the delays associated with manual analysis, significantly improving response times and minimizing impact.
ReliaQuest’s detection rules are continuously updated to identify attacker behaviors and tactics.
Organizations can significantly reduce their mean time to contain (MTTC) by deploying detection rules alongside the GreyMatter Automated Response Playbooks below. By containing threats in minutes rather than hours, organizations minimize the risk of compromise from ValleyRAT.
Block Domain: When a suspicious file is downloaded from an SEO-poisoned domain and determined to be malicious, this Playbook enables GreyMatter’s agentic AI to autonomously block the domain before other employees can access it. Additionally, identified C2 domains can be proactively blocked to ensure attackers cannot establish communication with infected hosts.
Block Hash: If malware is identified within the environment, this Automated Response Playbook blocks the hash across the environment to ensure the malware cannot execute, even if redownloaded by an employee.
Isolate Host: When a host is detected executing a malicious file, this Playbook swiftly contains the threat by isolating the host from the rest of the network. This action prevents lateral movement and ensures attackers cannot continue their operations while remediation takes place.
Your Action Plan
To protect against Silver Fox and the ValleyRAT malware, implement the following tailored recommendations to strengthen your defenses:
Secure Against International Threats: For organizations with global operations, ensure systems in international offices—particularly those in China—are equipped with adequate logging and security tools. This ensures full visibility into localized threat activity and allows organizations to detect, analyze, and respond to region-specific attacks, including SEO poisoning and malware infections by groups like Silver Fox.
Reduce the Risk of SEO Poisoning: Deploy an employee self-service app catalog with pre-approved software for on-demand installation. Encourage employees to use this catalog to reduce the likelihood of downloading software from malicious domains impersonating legitimate applications, such as those used in Silver Fox campaigns.
Ensure Adequate Logging: Ensure Windows systems are logging command line events (Event ID 4688) and PowerShell Script Block Logging (Event ID 4104) to maintain full visibility into ValleyRAT’s infection chain for effective detection and response.
Key Takeaways and What’s Next
While headlines often spotlight high-profile threats like ransomware groups targeting North American organizations, lesser-known adversaries like Silver Fox can pose an equally significant risk, as regionally focused attacks can blindside security teams. Silver Fox’s latest campaign, marked by false flags and modifications to the ValleyRAT execution chain, is evidence of the group’s continuous evolution and ability to conduct region-specific attacks with precision.
For organizations with operations in China, the threat is clear: Silver Fox is unlikely to stop. With its expansive infrastructure and tailored strategies, the group’s campaigns can effectively and efficiently infiltrate and exploit organizations in the region. Now is the time to act—fortify international locations with robust security measures, including adequate logging and monitoring capabilities, to detect and respond to these stealthy, localized threats. Don’t let under-the-radar campaigns like this catch your security team off guard.
IOCs
Artifact | Details |
hxxp://teamscn[.]com | Domain Hosting ValleyRAT Download Link |
hxxp://oss-cn-hongkong.aliyuncs[.]com | Alibaba Cloud Hosting ValleyRAT |
f3ef04aaf5056651325789ffd75bbc7db8ae2becbb 08150e2d4f6a5b545bab0a | MSTчamsSetup.zip |
d73593469375120d2bdb403383777f2737bc2018 e3976cf9eea8f029282d47ed | Setup.exe |
3cb7d1849918290a17fcfffd904ca832a9656de053 eab88ae5817b211556373e | vcredist_x86.exe |
752fb04792f8a0de88226d69efd78126c26304754 604347e3edcda831809ba2b | AutoRecoverDat.dll |
9e4571947cd34ff98e376efaa3e91957931733ca32 e13953905f39b3492089f6 | GPUCache.xml |
b73a3ab21ec8a4e0faf9b9c8b48c2ddc2821652a5 94a3ee38d84306f28537f4d | Profiler.json |
hxxp://Ntpckj[.]com | C2 Server Domain |
134.122.128[.]131 | C2 Server |
hxxp://teamszv[.]com | Related Domain |
hxxp://binancegames[.]sb | Related Domain |
hxxp://ppx-teams-down-app[.]pages[.]dev | Related Domain |
hxxp://teams[.]geroman[.]comm | Related Domain |
hxxp://6esygx[.]space | Related Domain |
hxxp://qzjfxy[.]fun | Related Domain |
hxxp://teams[.]telegramgwxz[.]com | Related Domain |
hxxp://teams[.]telegramtgxz[.]com | Related Domain |
hxxp://teams[.]telegramzwxz[.]com | Related Domain |
hxxp://teams[.]plsgongmu[.]com | Related Domain |
hxxp://teams[.]baoyingkeji[.]com | Related Domain |
hxxp://teams[.]jqsnzp[.]com | Related Domain |
hxxp://teams[.]chetanagarbatti[.]com | Related Domain |
hxxp://teams[.]fjzwb[.]com | Related Domain |
hxxp://teams[.]kensun4a[.]com | Related Domain |
hxxp://teams[.]xclyd[.]com | Related Domain |
hxxp://teams[.]hardepc[.]com | Related Domain |
hxxp://teams[.]fin-tastikantioch[.]com | Related Domain |
hxxp://teams[.]kkkgenieyesl[.]cn | Related Domain |
hxxp://teams[.]cpeakem[.]com | Related Domain |
27.124.43[.]7 | Related Server |
27.124.43[.]4 | Related Server |
134.122.128[.]141 | Related Server |
134.122.128[.]143 | Related Server |
134.122.128[.]131 | Related Server |
143.92.63[.]190 | Related Server |
143.92.63[.]167 | Related Server |
143.92.63[.]147 | Related Server |
134.122.207[.]22 | Related Server |
134.122.207[.]20 | Related Server |
134.122.207[.]17 | Related Server |
43.226.125[.]112 | Related Server |
43.226.125[.]125 | Related Server |
43.226.125[.]124 | Related Server |
27.124.43[.]12 | Related Server |
137.220.135[.]86 | Related Server |
137.220.135[.]79 | Related Server |
137.220.135[.]74 | Related Server |
Editor's Note: The primary author of this campaign was Hayden Evans.
