Endpoint/Device Security, Threat Intelligence, Malware

Silver Fox threat actor mimics Russian group in China attacks using ValleyRAT

Plain code with the word "cyberattack" in red.

A false flag operation by the threat actor Silver Fox, designed to mimic a Russian threat group, has been observed targeting organizations in China. This sophisticated SEO poisoning campaign utilizes Microsoft Teams lures to trick users into downloading malicious files, leading to the deployment of ValleyRAT, a malware associated with Chinese cybercrime, according to a recent report by The Hacker News.

The campaign, active since November 2025, targets Chinese-speaking users, including those in Western companies operating in China. Silver Fox employs modified ValleyRAT loaders with Cyrillic elements to mislead attribution. The malware, a variant of Gh0st RAT, allows remote system control, data exfiltration, and persistence. The attackers use SEO poisoning to redirect users to fake websites offering software downloads, such as a malicious "MSTчamsSetup.zip" file from an Alibaba Cloud URL. This ZIP contains a trojanized "Setup.exe" that targets security software, creates Microsoft Defender exclusions, and deploys ValleyRAT components. Recent variations also involve trojanized Telegram installers and weaponized Foxit PDF readers targeting job seekers, indicating a potential broadening of targets beyond Chinese-speaking users.

The observed tactics highlight the evolving nature of cyber threats, with actors increasingly using sophisticated deception techniques like false flag operations and exploiting user vulnerabilities, such as job seeker desperation. The reliance on legitimate software for infection chains and the use of advanced evasion methods like DLL sideloading and UAC bypasses underscore the need for robust endpoint security solutions and heightened user awareness. This activity also points to the ongoing challenges in attributing cyberattacks, necessitating improved threat intelligence sharing and collaborative defense strategies across industries and borders.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds