Silver Fox Conducts False-Flag ValleyRAT SEO Campaign

Security researchers report that the Silver Fox threat actor is running a false-flag SEO poisoning campaign, using Microsoft Teams lures to distribute ValleyRAT to Chinese-speaking targets since November 2025. ReliaQuest and Nextron Systems describe a multistage chain: a trojanized Teams installer retrieved from an Alibaba Cloud URL, Cyrillic artifacts to mislead attribution, Defender exclusions, and in-memory DLL loading to establish persistent remote control. The campaign heightens risks of data theft and fraud.
Key Points
- 1Deploys SEO-poisoning Microsoft Teams lure to deliver ValleyRAT payloads since November 2025
- 2Uses Cyrillic elements and Alibaba Cloud hosting to create a false-flag mimicking Russian threat group
- 3Infects systems, disables defenses, and enables long-term remote control, increasing data-exfiltration and fraud risks
Scoring Rationale
Detailed technical analysis and multiple vendor reports support severity; limited novelty and primarily regional, security-focused relevance reduces broader impact.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
