Silver Fox Microsoft Teams SEO poisoning campaign
Campaign
Summary
Hide ▲
Show ▼
The Silver Fox operation is using SEO poisoning and Microsoft Teams lures to deliver ValleyRAT to Chinese-speaking users in China, making the campaign an active access and persistence threat. The activity has been running since November 2025 and uses a fake Teams download path to trick users into installing malware. The false-flag setup also uses Cyrillic elements to complicate attribution and obscure the operator's identity. Successful infections can enable remote control, data theft, and long-term persistence inside targeted networks.
Related Happenings
Y2K Operators Millenium RAT social-engineering distribution campaign
Campaign
H score73
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Y2K Operators Millenium RAT social-engineering distribution campaign
CampaignAbout this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
H score36
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox South Asia phishing campaign
Campaign
H score34
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Timeline
-
04.12.2025 19:25 2 articles · 7mo ago
Silver Fox Microsoft Teams SEO poisoning campaign delivers ValleyRAT in China
Initial DisclosureSilver Fox is running a false-flag SEO poisoning campaign against organizations in China and Chinese-speaking users inside Western organizations operating in China, using bogus Microsoft Teams download pages to deliver ValleyRAT (Winos 4.0). The chain retrieves MSTчamsSetup.zip from an Alibaba Cloud URL, drops a trojanized Setup.exe, sets Microsoft Defender Antivirus exclusions, stages files such as Profiler.json and GPUCache.xml, injects the malware into rundll32.exe, and fetches a final payload for remote control. The activity has been underway since November 2025 and uses Cyrillic elements to complicate attribution.
Show sources
- Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China — thehackernews.com — 04.12.2025 19:25
- Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China — thehackernews.com — 04.12.2025 19:25