A sophisticated cyber campaign is actively exploiting search engine optimization (SEO) results to distribute a malicious installer disguised as Microsoft Teams, a tactic designed to ensnare organizations. This ongoing operation, identified as active since November 2025, utilizes counterfeit Microsoft Teams websites to trick users into downloading a trojanized application. This installer then deploys a malware known as “ValleyRAT,” which grants attackers remote control over compromised systems, facilitating sensitive data theft, command execution, and persistent network infiltration.
The attack chain commences when individuals searching for Microsoft Teams are redirected to a malicious domain through manipulated search engine rankings. The specific domain, teamscn[.]com, is a typosquatted URL crafted to target Chinese-speaking users. Security analysts at Reliaquest have identified the threat actors as the Chinese advanced persistent threat (APT) group “Silver Fox.” This group appears to have a dual objective, engaging in both state-sponsored espionage and financially motivated cybercrime.
The choice of a fake Microsoft Teams installer is strategically significant. Given the widespread adoption of Microsoft Teams for collaboration within corporate environments, the likelihood of unsuspecting users downloading and executing the malicious file is considerably higher. This widespread use makes it a highly effective vector for compromising a broad range of organizational networks.
Threat Actors Poison SEO Results to Attack Organizations
A key element of this malicious campaign involves deceptive tactics to obfuscate attribution. The malware loader incorporates Cyrillic characters and elements of the Russian language. This is a deliberate “false flag” technique, intended to mislead security researchers and investigators into believing the attack originates from Russian threat actors. Such misdirection aims to complicate incident response and investigations.
However, Reliaquest security researchers have linked the campaign to the “Silver Fox” group with a high degree of confidence. Their assessment is based on observed overlaps in the campaign’s infrastructure with previously documented attacks attributed to this Chinese APT group. This intentional misdirection is a calculated effort to hinder attribution and slow down defensive measures, allowing the attackers more time to achieve their objectives within target networks.
Infection and Evasion Mechanisms Employed
The infection process is a multi-stage operation meticulously designed to circumvent security measures and deceive end-users. It begins with the download of a ZIP archive, typically named MSTчamsSetup.zip. This archive contains a trojanized executable file, labeled Setup.exe. Upon execution, this file initiates several actions to compromise the target system.
Initially, the malware checks for the presence of “360 Total Security,” a popular antivirus solution, particularly within China. Following this detection, it employs a PowerShell command to add exclusions for the C:, D:, E:, and F: drives within Windows Defender. This action effectively prevents the built-in antivirus from scanning these critical locations, creating a blind spot for detection.
The command used for this exclusion is:
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath C:, D:,E:,F:
Subsequently, the malware executes a component named Verifier.exe. This is a trojanized but legitimate-appearing Microsoft installer, presented to the user in Russian. This application then proceeds to read binary data from a file named Profiler.json. This mechanism allows the attackers to dynamically load additional malicious payloads or configurations.
To finalize the deception, the malware installs a genuine version of Microsoft Teams and creates a familiar desktop shortcut. This user experience leads victims to believe the installation was successful and legitimate, while the malicious payload operates covertly in the background. The attackers maintain persistent access and can exfiltrate data or conduct further malicious activities undetected.
The ongoing use of SEO poisoning and deceptive lures highlights the evolving tactics employed by cyber threat actors. Organizations must remain vigilant, reinforcing security awareness training and implementing robust endpoint detection and response solutions to mitigate the risks posed by such sophisticated phishing and malware distribution campaigns. The continued evolution of these attack vectors suggests that consistent security updates and proactive threat hunting will be crucial in defending against future exploits.