Silver Fox APT Uses Cyrillic False Flag in Teams SEO Poisoning to Deploy ValleyRAT
Ddos 
Fake Microsoft Teams website targeting Chinese-speaking users | Image: ReliaQuest
A cunning cyber-espionage campaign is targeting Chinese organizations with a twist of geopolitical deception. According to a new report from ReliaQuest, the Chinese Advanced Persistent Threat (APT) group known as “Silver Fox” (or Void Arachne) has launched a sophisticated SEO poisoning campaign that impersonates Microsoft Teams to distribute malware. But there is a catch: they are trying very hard to look Russian.
In a move designed to confuse security researchers and incident responders, Silver Fox has embedded distinct Russian linguistic elements into their attack chain. The malicious ZIP file delivered to victims is named МЅТчатѕSetup.zip—using Cyrillic characters—and contains an executable that runs entirely in Russian.
ReliaQuest researchers assess that these “false flags, such as Cyrillic characters, [are likely] an intentional move to mislead attribution” and frame a Russian threat group for the intrusion.
The attack vector relies on Search Engine Optimization (SEO) poisoning. The group has registered the typo-squatted domain teamscn[.]com, designed to look like a legitimate Chinese download portal for Microsoft Teams.
“Active since November 2025, this campaign targets Chinese-speaking users, including those within Western organizations operating in China,” the report states. By manipulating search results, the attackers ensure that employees looking for collaboration tools land on their malicious site instead of the official Microsoft portal.
Once a victim downloads the fake installer, they are infected with ValleyRAT, a potent Remote Access Trojan. The installation process is stealthy and complex:
- Trojanized Installer: The Setup.exe file mimics a legitimate installation but silently executes malicious commands.
- Security Evasion: It scans for 360 Total Security (a popular Chinese antivirus) and uses PowerShell to add exclusion paths to Windows Defender, ensuring the malware can run uninterrupted.
- Side-Loading: The malware uses “Binary Proxy Execution,” loading a malicious DLL (AutoRecoverDat.dll) into the legitimate Windows process rundll32.exe to blend in with normal system activity.
The payload serves a dual purpose. ReliaQuest notes that “Silver Fox is deploying ‘ValleyRAT’ malware to achieve two objectives: conducting state-sponsored espionage for sensitive intelligence and engaging in financial fraud and theft to fund its operations.”
Despite the Russian disguise, the digital breadcrumbs lead back to Silver Fox. ReliaQuest linked the infrastructure—specifically the background images and C2 servers hosted by CTG Server LTD—to previous campaigns run by the group.
The report warns that “organizations with Chinese-speaking employees, regardless of sector, face an elevated risk from this campaign.”
Related Posts:
- Socket Uncovers Malicious NuGet Typosquat “Netherеum.All” Exfiltrating Wallet Keys via Solana-Themed C2
- ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
- Silver Fox APT: Chinese Threat Actor Deploys Trojanized Medical Software in Stealth Espionage Campaign
- Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
Donate