The Chinese advanced persistent threat (APT) group Silver Fox (also known as Void Arachne) has launched a sophisticated search engine optimization (SEO) poisoning campaign targeting Chinese-speaking employees at organizations worldwide.
The campaign distributes a counterfeit Microsoft Teams installer laced with ValleyRAT malware, while employing Cyrillic characters and Russian-language elements as deliberate false flags to mislead attribution efforts away from Chinese threat actors.
According to threat intelligence firm ReliaQuest, the campaign has been active since November 2025.
It demonstrates Silver Fox’s dual operational objectives: conducting state-sponsored espionage to collect sensitive intelligence and engaging in cybercrime operations to fund their activities.
The group’s targeting strategy focuses explicitly on Chinese-speaking users through typosquatting domains and localized social engineering tactics designed to evade detection by regional security tools.
The SEO Poisoning Attack
Silver Fox previously leveraged SEO poisoning to distribute fake versions of Telegram and Chrome browsers.
This latest iteration builds on that playbook by impersonating Microsoft Teams through the domain “teamscn[.]com,” which incorporates “.cn” in a deliberate typosquatting attack targeting Chinese users.
The malicious website was established in March 2025 with the HTML title “Teams downloads – Download the Microsoft Teams desktop and mobile apps,” and in early November received subtle modifications before infection attempts intensified.
When users download what they believe to be the legitimate Microsoft Teams application, they receive a trojanized ZIP file named “MSTчamsSetup.zip” notable for its inclusion of Cyrillic characters containing the ValleyRAT malware hosted on Alibaba Cloud infrastructure at “shuangkg[.]oss-cn-hongkong[.]aliyuncs[.]com.”
This infrastructure choice further demonstrates Silver Fox’s operational focus on Chinese targets and organizations operating within China’s geographic boundaries.
Deceptive Execution Chain
The malware execution chain begins with Setup.exe, which immediately performs reconnaissance to identify active security software.
The malware specifically checks for 360Tray.exe and 360tray.exe components of 360 Total Security, a widely deployed antivirus solution in China.
This detection mechanism exemplifies the campaign’s precision targeting and suggests attackers have detailed knowledge of their intended victims’ security posture.
Once reconnaissance completes, the malware executes obfuscated PowerShell commands that modify Windows Defender exclusion lists for entire drive volumes (C:, D:, E:, F:), effectively blinding antivirus software to subsequent malicious activities.
The infection chain then deploys a trojanized version of the Microsoft C++ redistributable installer displayed entirely in Russian that reads binary data from JSON configuration files before executing the malicious payload.
Critical to the attack’s stealth capabilities, the malware leverages Binary Proxy Execution by loading malicious DLL files into rundll32.exe, a legitimate Windows process.
This technique disguises the malware as trusted system activity, enabling it to establish command-and-control connections to “Ntpckj[.]com” (134.122.128[.]131) over port 18852 while remaining invisible to organizations without comprehensive endpoint detection and response (EDR) solutions or PowerShell event logging.
Mitigations
Organizations with employees in China or Chinese-speaking staff face elevated risk from this campaign and should implement proactive defensive measures.
Security teams should enable Windows Event ID 4688 (command line logging) and Event ID 4104 (PowerShell Script Block Logging) to maintain complete visibility into ValleyRAT’s infection chain.
Deploying employee self-service software catalogs with pre-approved applications reduces the probability of users downloading software from malicious domains impersonating legitimate vendors.
For organizations with global operations, particularly those maintaining offices in China, comprehensive security assessments of international locations should become immediate priorities.
Implementing adequate logging, EDR solutions, and detection rules specifically tuned for ValleyRAT behaviors and Binary Proxy Execution techniques will significantly reduce mean time to contain and minimize operational impact from Silver Fox campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.