The cyber threat actor known as Silver Fox has been conducting a sophisticated false flag operation designed to impersonate a Russian hacking group, targeting organizations in China. The campaign leverages search engine optimization poisoning to lure users into downloading a malicious setup file that ultimately delivers ValleyRAT, also referred to as Winos 4.0, a malware variant tied to Chinese cybercrime activities. The attacks have been ongoing since November 2025 and are designed to mislead attribution while enabling remote control of infected systems.
According to ReliaQuest researcher Hayden Evans, the campaign focuses on Chinese-speaking users, including employees within Western organizations operating in China. The attack uses a modified ValleyRAT loader containing Cyrillic elements, indicating an intentional effort to disguise the actor’s origins. ValleyRAT, a derivative of Gh0st RAT, provides attackers with the ability to exfiltrate sensitive data, execute arbitrary commands, and maintain persistent access on targeted networks. Unlike prior malware campaigns that utilized programs like Google Chrome, Telegram, WPS Office, or DeepSeek, this operation leverages Microsoft Teams lures to initiate the infection chain.
The malicious campaign redirects users to a fake website claiming to offer Microsoft Teams software. In reality, victims download a ZIP file named “MSTчamsSetup.zip” from an Alibaba Cloud URL. The archive contains “Setup.exe,” a trojanized Teams installer programmed to scan for running security processes, configure Microsoft Defender exclusions, and execute a disguised Microsoft installer called “Verifier.exe.” The malware writes additional files to local and roaming AppData paths, loads them into memory via the Windows process rundll32.exe, and connects to external servers to fetch the final payload for remote control operations.
Silver Fox is believed to pursue financial gain through theft, scams, and fraud while collecting sensitive intelligence for geopolitical purposes. Nextron Systems has highlighted a related attack chain using a trojanized Telegram installer that employs a Bring Your Own Vulnerable Driver (BYOVD) technique, further enabling malware execution and persistence. The orchestrator “men.exe” deploys additional components, sets up scheduled tasks, manipulates file permissions, and establishes long-term access using a VBE script to launch ValleyRAT through a vulnerable driver. Components like “bypass.exe” provide privilege escalation by bypassing Windows User Account Control.
Trend Micro has reported additional campaigns targeting job seekers with weaponized Foxit PDF readers distributed via ZIP attachments, signaling an expansion of the threat actor’s focus beyond Chinese-speaking users. These attacks exploit psychological vulnerabilities, leveraging renamed executable files and sideloaded DLLs to run Python scripts that execute shellcode for ValleyRAT deployment. The malware operates stealthily, stages files, tampers with defenses, and maintains covert access to infected systems. The campaign demonstrates how Silver Fox combines deceptive techniques, software exploitation, and sophisticated malware deployment to execute multi-stage operations targeting both organizations and individual users.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
