For months, a threat actor calling itself Silver Fox has been quietly running a digital costume party, pretending to be a Russian hacking group while actually targeting organizations in China. It’s the cybersecurity equivalent of leaving someone else’s fingerprints at the crime scene, and Silver Fox is clearly enjoying the misdirection.
The operation relies on an SEO poisoned website that offers a fake download of Microsoft Teams. Anyone who takes the bait doesn’t get a collaboration tool, they get ValleyRAT (Winos 4.0), a long running favorite among Chinese cybercrime groups. Researchers at ReliaQuest noticed the installer sprinkled with Cyrillic text, a not so subtle attempt to push investigators toward the wrong conclusion.
ValleyRAT itself is a descendant of Gh0st RAT, a malware family that’s been around long enough to qualify for frequent flyer status in threat reports. Once inside a device, it can siphon data, run commands remotely, and generally act like it owns the place.
What makes this campaign interesting isn’t just the malware, it’s the delivery method. Earlier variants used lures based on Chrome, Telegram, WPS Office, and other common apps. This time, Silver Fox dressed up a ZIP file called “MSTчamsSetup.zip” as a Teams installer and hosted it on Alibaba Cloud. Inside is a trojanized setup file that checks for security software, tweaks Microsoft Defender rules, and drops a modified version of a Microsoft installer into the user’s AppData folder.
From there, the infection chain becomes a tidy little assembly line. Config files are dropped. A malicious DLL gets injected into rundll32.exe to blend in. And once the groundwork is done, the malware phones home for its final payload, ready to provide remote access.
ReliaQuest believes the group is chasing both money and intelligence, which is a polite way of saying they’ll take whatever they can get data, credentials, financial information, or access they can later sell or leverage. By hiding behind a faux Russian identity, Silver Fox buys itself a bit of deniability.
A separate analysis from Nextron Systems uncovered a different ValleyRAT infection path that starts with a trojanized Telegram installer. This one leans on a Bring Your Own Vulnerable Driver trick to load NSecKrnl64.sys, kill off security tools, and clear the way for the payload. The infection chain includes a second stage orchestrator, men.exe, which drops additional components, adjusts file permissions to make removal harder, and sets up persistence via a scheduled task that launches an encoded script.
Among the items deployed is bypass.exe, a tool for sidestepping User Account Control and elevating privileges. It’s the sort of thing that would make any system administrator sigh deeply.
As Nextron’s Maurice Fielenbach puts it, the installer looks completely normal on the outside. Behind the curtain, though, it’s staging files, disabling protections, and planting a ValleyRAT beacon that allows long term access.
Silver Fox may not be the most famous threat actor out there, but the combination of false flag theatrics and technically competent malware delivery suggests they’re aiming to make a name for themselves, while making sure the blame lands elsewhere.
Source: The Hacker News
