Silver Fox Microsoft Teams SEO poisoning campaign
Campaign
Summary
Hide ▲
Show ▼
The Silver Fox operation is using SEO poisoning and Microsoft Teams lures to deliver ValleyRAT to Chinese-speaking users in China, making the campaign an active access and persistence threat. The activity has been running since November 2025 and uses a fake Teams download path to trick users into installing malware. The false-flag setup also uses Cyrillic elements to complicate attribution and obscure the operator's identity. Successful infections can enable remote control, data theft, and long-term persistence inside targeted networks.
Related Happenings
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
First: 06.01.2026 14:13
Last: 06.01.2026 14:13
Sources 1
About this happening:
**SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware ActivityAbout this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
Russian-origin Ukraine web shell and LotL intrusion campaign
Campaign
First: 29.10.2025 13:51
Last: 29.10.2025 13:51
Sources 1
About this happening:
The **Russian-origin** campaign targeted **organizations in Ukraine** with **web shells**, **living-off-the-land tactics**, and dual-use tools to keep **persistent access** and st...
Russian-origin Ukraine web shell and LotL intrusion campaign
CampaignAbout this happening: The **Russian-origin** campaign targeted **organizations in Ukraine** with **web shells**, **living-off-the-land tactics**, and dual-use tools to keep **persistent access** and st...
Timeline
-
04.12.2025 19:25 2 articles · 5mo ago
Silver Fox Microsoft Teams SEO poisoning campaign delivers ValleyRAT in China
Initial DisclosureSilver Fox is running a false-flag SEO poisoning campaign against organizations in China and Chinese-speaking users inside Western organizations operating in China, using bogus Microsoft Teams download pages to deliver ValleyRAT (Winos 4.0). The chain retrieves MSTчamsSetup.zip from an Alibaba Cloud URL, drops a trojanized Setup.exe, sets Microsoft Defender Antivirus exclusions, stages files such as Profiler.json and GPUCache.xml, injects the malware into rundll32.exe, and fetches a final payload for remote control. The activity has been underway since November 2025 and uses Cyrillic elements to complicate attribution.
Show sources
- Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China — thehackernews.com — 04.12.2025 19:25
- Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China — thehackernews.com — 04.12.2025 19:25