A recent investigation by cybersecurity firm ReliaQuest has unveiled a sophisticated campaign orchestrated by a Chinese state-linked hacking group known as Silver Fox, also referred to as Void Arachne. This group is employing search engine optimization (SEO) tactics to create a counterfeit Microsoft Teams download site, cleverly designed to mislead users and divert suspicion towards Russian cyber actors.
Fake Teams Downloads
The attackers are manipulating search engine results to elevate a fraudulent Microsoft Teams download site, hosted on the domain “teamscn[.]com”. This domain name cleverly incorporates “cn” in a typo-squatting strategy, targeting Chinese-speaking users who might assume a connection to legitimate services. Initially, the site’s HTML title mirrored authentic Teams download language, but it has since been subtly altered. ReliaQuest notes that infection attempts quickly followed these modifications, marking a clear activation phase for the operation.
Upon attempting to download the fake software, victims receive a ZIP archive from an Alibaba Cloud storage address. This archive contains a trojanized installer labeled “Setup.exe”, which masquerades as the Microsoft Teams installation process. The executable first checks for the presence of 360 Total Security, a popular antivirus solution in China, by scanning for the process “360Tray.exe”. Subsequently, it executes obfuscated PowerShell commands to modify Windows Defender exclusion lists, effectively shielding large portions of the file system from antivirus scrutiny.
In addition, “Setup.exe” drops another file, “Verifier.exe”, into the user’s local application data directory. This installer, based on a legitimate Microsoft Visual C++ redistributable component, operates in Russian and reads binary data from a local file named “Profiler.json”.
ValleyRAT Upgrade
The malware further populates an “Embarcadero” directory, borrowing its name from a well-known software development environment. It also installs a functional version of Microsoft Teams along with a desktop shortcut, creating the illusion of a successful installation. Security personnel inspecting the endpoint would see a working application while the malware operates discreetly in the background.
The attackers extract binary data from “Profiler.json” and “GPUCache.xml”, subsequently invoking the DllRegisterServer function within a file named “AutoRecoverDat.dll”. This operation employs a technique known as binary proxy execution, allowing the malicious DLL to run within the legitimate “rundll32.exe” process, thereby camouflaging harmful activities as routine system operations.
The compromised “rundll32.exe” process establishes communication with the domain “Ntpckj[.]com” over port 18852, facilitating the delivery of the final ValleyRAT payload and enabling command-and-control interactions with the attackers’ infrastructure. ValleyRAT grants remote access to infected machines, allowing the perpetrators to exfiltrate sensitive data, execute arbitrary commands, and maintain a persistent presence within the target network.
Espionage and Fraud
ReliaQuest connects Silver Fox to a dual agenda of state-sponsored espionage and financially motivated activities. The group not only pilfers information with potential geopolitical significance but also engages in fraud and theft to sustain its operations. Previous endeavors by Silver Fox have included SEO poisoning campaigns that impersonated popular applications like Telegram, specifically targeting Chinese-speaking users. A hash search of images from the counterfeit Teams site revealed a network of at least 20 domains previously associated with fake Telegram pages, part of a broader campaign initiated in early 2025.
Moreover, researchers identified 18 additional command-and-control servers with similar open ports, hosted by CTG Server, a provider utilized by Silver Fox in past attacks. This reuse of infrastructure bolsters the attribution to the group.
In a thorough analysis of competing hypotheses, ReliaQuest evaluated the evidence against the possibility of Russian ransomware affiliates or state-linked units being responsible for the attacks. The use of ValleyRAT, Alibaba Cloud infrastructure, and CTG Server hosting all pointed away from a Russian origin, aligning instead with Silver Fox’s established operations.
Global Exposure
This campaign primarily targets Chinese-speaking personnel within global organizations, including Western multinationals with operations, partnerships, or supply chains in China, as well as firms in sectors that may not typically consider themselves prime targets for nation-state actors. ReliaQuest cautions that organizations lacking robust endpoint detection, Windows event logging, or PowerShell logging face heightened vulnerability. The use of rundll32.exe and seemingly legitimate installers diminishes the likelihood of detection by conventional antivirus solutions.
Security teams are advised to ensure that Windows systems log command-line activity and PowerShell script blocks, enabling them to monitor for suspicious rundll32 behavior and alterations to antivirus exclusion lists. Additionally, the report recommends utilizing approved software catalogs, encouraging employees to download applications from vetted portals rather than conducting broader web searches, thus mitigating opportunities for SEO poisoning.
ReliaQuest emphasizes the importance for companies operating across various jurisdictions to review security configurations in their overseas offices, ensuring consistent logging and monitoring practices are in place.
