Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Silver Fox Group Targets China with ValleyRAT via Fake Microsoft Teams Installer
Advertisements

A China-based cyber-espionage group known as Silver Fox has been identified distributing the ValleyRAT malware by using a trojanized installer for Microsoft Teams. The campaign specifically targets government, education, and telecommunication sector organizations within China.

The threat actor, also tracked as APT-C-45, operates by luring victims to a counterfeit website that impersonates the official Microsoft Teams download page. Visitors who download the installer from this malicious site receive a file that initiates a complex infection chain designed to deploy the remote access trojan (RAT) without detection.

Deceptive Distribution and Infection Chain

The attack vector relies on a technique known as DLL side-loading. The fake installer, a 64-bit executable, drops a legitimate Microsoft Teams application (Teams.exe) alongside a malicious dynamic-link library (DLL) file named msedge_elf.dll into the same directory.

When the user runs the legitimate Teams.exe application, the operating system is tricked into loading the malicious msedge_elf.dll from the application’s directory instead of the legitimate system version. This malicious DLL then proceeds to decrypt and execute the primary payload, the ValleyRAT malware, directly into the system’s memory. This method helps the malware evade security software that might otherwise flag a direct executable.

ValleyRAT Malware Capabilities

ValleyRAT is a remote access trojan that provides attackers with significant control over an infected system. Research from Zscaler ThreatLabz, which attributed the campaign to Silver Fox, confirmed its capabilities. The malware can establish a connection with a command-and-control (C2) server using a custom binary protocol over a TCP socket.

Documented functions of ValleyRAT include:

  • Executing arbitrary commands on the infected device.
  • Managing system files and processes.
  • Exfiltrating sensitive data and files.
  • Capturing screenshots of the user’s desktop.
  • Terminating its own process to erase traces.

The campaign highlights Silver Fox’s focus on domestic espionage within China, using social engineering tactics that leverage trusted and widely used business software as a disguise for malware delivery.

Source: https://thehackernews.com/2025/12/silver-fox-uses-fake-microsoft-teams.html