A Chinese state-linked hacking group is running a search engine optimisation campaign that mimics Microsoft Teams downloads and attempts to shift blame towards Russian attackers, according to new research by cybersecurity company ReliaQuest.
The group, known as Silver Fox and also tracked as Void Arachne, is using a modified version of the ValleyRAT remote access trojan in an ongoing operation against Chinese-speaking users. The activity affects staff in Western organisations with operations in China as well as domestic Chinese targets.
ReliaQuest assesses with high confidence that Silver Fox is behind the campaign. The conclusion rests on overlaps in infrastructure with previous attacks and the continued use of ValleyRAT, which security researchers have long associated with Chinese advanced persistent threat groups.
False clues within the malware aim to misdirect investigators. The infection chain includes Cyrillic characters in the file name "MSTчamsSetup.zip" and a Russian-language executable, as well as measures that resemble the tradecraft of Russian cyber actors and are designed as a false flag.
Fake Teams downloads
The attackers use search engine optimisation techniques to push a fake Microsoft Teams download site higher in results for users searching for the collaboration software. The site is hosted on the domain "teamscn[.]com". The name includes "cn" in a typo-squatting move intended to appeal to Chinese-speaking users who assume a link to China-focused services.
The domain's HTML title initially matched legitimate Teams download wording, then shifted slightly. ReliaQuest says infection attempts followed soon after these changes, indicating an activation phase for the campaign.
When victims download the fake software, they receive a ZIP archive from an Alibaba Cloud storage address. The archive contains a trojanised installer named "Setup.exe" that impersonates the Microsoft Teams installation process.
The executable first looks for signs of 360 Total Security, a widely used Chinese antivirus product, by scanning for the process "360Tray.exe". It then issues obfuscated PowerShell commands that alter Windows Defender exclusion lists and remove large sections of the file system from antivirus scanning.
Setup.exe also drops an additional file, "Verifier.exe", into the user's local application data directory. This installer is based on a legitimate Microsoft Visual C++ redistributable component and runs in Russian. It reads binary data from a local file named "Profiler.json".
ValleyRAT upgrade
The malware writes further files into an "Embarcadero" directory, which borrows its name from a recognised software development environment. It also installs a functional copy of Microsoft Teams and a desktop shortcut.
ReliaQuest says this behaviour gives the appearance of a successful Teams installation. Security staff who check the endpoint see a working application, while the malware executes in the background.
The attackers load binary data from "Profiler.json" and "GPUCache.xml" and then trigger the DllRegisterServer function within a file named "AutoRecoverDat.dll". The operation uses a technique sometimes called binary proxy execution. The DLL runs within "rundll32.exe", a legitimate Windows process, allowing malicious activity to blend into routine system operations.
The compromised "rundll32.exe" process contacts the domain "Ntpckj[.]com" over port 18852. The server delivers the final ValleyRAT payload and establishes command-and-control communications with the attacker's infrastructure.
ValleyRAT enables remote control of infected machines. Attackers can exfiltrate data, run arbitrary commands and maintain persistence inside the target network.
Espionage and fraud
ReliaQuest links Silver Fox to a dual mandate of state-directed espionage and financially motivated activity. The group steals information with potential geopolitical value and commits fraud and theft to fund its operations.
Previous Silver Fox activity includes SEO poisoning that impersonated Telegram and other popular applications for Chinese-speaking users. A hash search of images from the fake Teams site identified a cluster of at least 20 domains that previously hosted bogus Telegram pages. These domains formed part of a campaign in early 2025.
Researchers also found 18 additional command-and-control servers with similar open ports hosted by CTG Server, a provider that Silver Fox used in earlier attacks. The company says this infrastructure reuse strengthens the attribution.
In a structured analysis of competing hypotheses, ReliaQuest compared the evidence against the possibility of Russian ransomware affiliates or Russian state-linked units being responsible. ValleyRAT use, Alibaba Cloud infrastructure and CTG Server hosting all weighed against a Russian origin and aligned with Silver Fox's known operations.
Global exposure
The campaign focuses on Chinese-speaking staff within global organisations. That includes Western multinationals with offices, partners or supply chains in China, and firms in sectors that may not typically see themselves as primary targets for nation-state actors.
ReliaQuest warns that organisations with limited endpoint detection, Windows event logging or PowerShell logging face higher exposure. The use of rundll32.exe and legitimate-looking installers reduces the chance that traditional antivirus products detect the activity.
Security teams are urged to verify that Windows systems record command-line activity and PowerShell script blocks. They can then monitor for suspicious rundll32 behaviour and for changes to antivirus exclusion lists.
The report also advises the use of approved software catalogues. Employees download applications from vetted portals rather than searching the wider web, reducing opportunities for SEO poisoning.
ReliaQuest says companies operating across multiple jurisdictions should review security configurations in overseas offices and ensure consistent logging and monitoring.