Silver Fox’s Russian Ruse: ValleyRAT Used in Fake Microsoft Teams Attack

Silver Fox’s Russian Ruse: ValleyRAT Used in Fake Microsoft Teams Attack Source: reliaquest.com/blog/thre… ReliaQuest assesses with high confidence that a current search engine optimisation poisoning campaign impersonating Microsoft Teams is operated by the Chinese advanced persistent threat group Silver Fox (also known as Void Arachne), despite deliberate indicators meant to suggest Russian involvement. The campaign has been active since November 2025 and targets Chinese-speaking users, including those working for Western organisations inside China. Attackers are distributing a modified ValleyRAT loader containing Cyrillic artefacts, likely added to obscure attribution. Infrastructure overlaps with past Silver Fox activity reinforce the connection. The campaign poses elevated risk to any organisation employing Chinese-speaking staff. Attackers use a spoofed Chinese top-level domain to increase credibility and reach the intended demographic. Silver Fox carries out both state-sponsored espionage and financially motivated cybercrime, pursuing intelligence collection, fraud and theft. Targets face risks including data breaches, financial loss and long-term system compromise. ValleyRAT, a remote access trojan historically linked to Chinese APT groups, enables remote control, data exfiltration, arbitrary command execution and persistent access. The report outlines the campaign details and recommended defensive actions for security teams.