Silver Fox APT (Microsoft Teams Lures)

Jan 13

BLUF

The Silver Fox APT group is using SEO poisoning to deliver backdoored Microsoft Teams installers, employing "false flags" to appear as a Russian-speaking group.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by SEO-poisoned, trojanized collaboration software leading to remote access compromise and potential espionage or fraud activity:

· Low-end total cost: $450,000 – $1.2M

· (Single-business-unit exposure, rapid detection, limited data access)

· Typical expected range: $1.5M – $4.5M

· (Multiple endpoints compromised, delayed detection, credential and data exposure)

· Upper-bound realistic scenarios: $6M – $12M

· (Widespread endpoint infection, prolonged dwell time, regulatory notification obligations)

Key Cost Drivers

· Time to detection and containment (days vs. weeks)

· Number of compromised endpoints and privileged accounts

· Scope of data accessed or exfiltrated by remote access tooling

· Regulatory notification and legal review requirements

· Business disruption to collaboration and identity systems

Targeted Sectors

· Residential

· Commercial

· Building Security.

Countries

· Asia-Pacific

· Global

Date of First Reported Activity

· Early January 2026

Date of Last Reported Activity Update

· January 13, 2026

APT Names

· Silver Fox

o APT-Q-27

o Void Arachne

Associated Criminal Organization Names

· Not applicable

IOCs

As a reminder the heuristic behavior of the malware should be what is hunted on. hashes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack

Known Indicators of Compromise (IOCs)

Malicious Domains and URLs

· teamscn[.]com

o A typo-squatting domain impersonating the legitimate Microsoft Teams download page.

· shuangkg[.]oss-cn-hongkong[.]aliyuncs[.]com

o An Alibaba Cloud storage location used to deliver the malicious payload.

Files and Payloads

· MSTчamsSetup.zip

o A malicious ZIP archive containing the infection chain. Note the use of the Cyrillic character "ч" (tse) as a false flag intended to misdirect attribution toward Russian actors.

· ValleyRAT (Winos 4.0)

o The primary remote access trojan (RAT) deployed. Recent variants have used modified loaders with Cyrillic elements and Russian-language executables as part of a "Russian Ruse" campaign.

· wamsdk.sys (version 1.1.100)

o A patched but still vulnerable driver abused by Silver Fox to bypass security defenses by altering a single byte in its digital signature.

Campaign Tactics

· SEO Poisoning

o Manipulating search results to lure victims to counterfeit download pages that use legitimate Microsoft branding to build trust.

· False Flag Operations

o Intentionally incorporating Russian-language elements to impersonate Russian threat groups while conducting state-sponsored espionage and financial fraud.

· Evasion Techniques

o Modifying antivirus exclusion paths and utilizing binary proxy execution to maintain persistence and avoid detection.

Tools Used

· SEO Poisoning

· Backdoored Installers.

TTPs

Reconnaissance & Weaponization

· T1583.001 Acquire Infrastructure: Domains

o Threat actors registered typo-squatted domains like teamscn[.]com to host malicious files.

· T1584.005 Compromise Infrastructure

o Botnet: Leveraged third-party cloud infrastructure (e.g., Alibaba Cloud) to host and deliver malicious ZIP files.

Initial Access

· T1566.002 Phishing

o Spearphishing Link: Distributed links to counterfeit Teams download pages via phishing emails and other messaging platforms.

· T1189 Drive-by Compromise

o Used SEO Poisoning to manipulate search engine results, leading users to malicious landing pages impersonating official Microsoft Teams sites.

Execution

· T1204.002 User Execution Malicious File

o Relied on users downloading and executing a trojanized "Teams" installer (MSTчamsSetup.zip).

· T1106 Native API

o The ValleyRAT loader utilizes native Windows APIs to execute malicious code in memory.

· T1129 Shared Modules

o Used DLL hijacking (e.g., libexpat.dll) to load encrypted shellcode during the installation process.

Persistence & Evasion

· T1036.005 Masquerading

o Match Legitimate Name or Location: The malware uses Cyrillic characters (e.g., "ч" instead of "e") and Russian language metadata as a false-flag to impersonate Russian-origin actors.

· T1562.001 Impair Defenses

o Disable or Modify Tools: Modified antivirus exclusion paths to prevent security software from scanning the malware directory.

· T1064 Scripting

o Leveraged legitimate Windows tools like msiexec and bitsadmin (Living-off-the-Land) to blend into routine system activity.

· T1055 Process Injection

o Injects the final ValleyRAT payload directly into memory to evade signature-based disk detection.

Command and Control (C2)

· T1071.001 Application Layer Protocol

o Web Protocols: Uses standard HTTP/S protocols to communicate with multi-tier C2 infrastructure.

· T1219 Remote Access Software

o Deployment of ValleyRAT provides full remote control, enabling arbitrary command execution and file exfiltration.

Malware Names

Silver Fox Backdoor

· More specifically known as ValleyRat

Malware Sample

Valley RAT

sha256

dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd

URL Link to sample

· hxxps://www.virustotal.com/gui/file/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd

CVE-2026-20029

CVSS 3.1

· (4.9) AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Nessus ID

· 282331

Is CVE-2026-20029 on the KEV list

· No

What is the CISA patch by date?

· Not applicable

URL to patch information for CVE-2026-20029

· hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

CVE-2026-20029 (XXE Exploitation):

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ISE XML External Entity (CVE-2026-20029)"; flow:established,to_server; content:"POST"; http_method; content:"/admin/"; http_uri; content:"<!ENTITY"; http_client_body; content:"SYSTEM"; http_client_body; reference:cve,2026-20029; classtype:web-application-attack; sid:2026001; rev:1;)

Valley RAT C2 Patterns

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Valley RAT Heartbeat/C2 Activity"; flow:established,to_server; dsize:24; content:"|00 00 00 18|"; depth:4; content:"|56 61 6c 6c 65 79|"; offset:4; reference:url,research.splunk.com/stories/valleyrat/; classtype:trojan-activity; sid:2026002; rev:1;)

SentinelOne

Suspicious MSBuild Execution (Valley RAT Loader):

ProcessName = "MSBuild.exe" AND (CommandLine Contains ".pwn" OR CommandLine Contains "Temp") AND ParentProcessName != "devenv.exe"

Privilege Escalation (SeDebugPrivilege)

Indicator = "SeDebugPrivilege" AND ProcessName IN ("MSBuild.exe", "RegAsm.exe") AND NOT ParentProcessName = "services.exe"

Anti-Debugging Maneuver (NtSetInformationProcess)

Behavior = "AntiDebug" AND CallStack Contains "NtSetInformationProcess" AND ProcessName = "MSBuild.exe".

Splunk

Detection of Malicious .pwn File Association

index=main sourcetype="WinEventLog:Security" EventCode=13 (TargetObject="*\\.pwn\\shell\\open\\command*" OR Details="*valleyrat*")

Identifies attempts to associate the custom .pwn extension with malicious binaries.

Suspicious Process Spawning from Web Services (CVE-2026-20029 Follow-on)

index=main sourcetype="WinEventLog:Security" EventCode=4688 ParentProcessName="*ise-management*" (NewProcessName="cmd.exe" OR NewProcessName="powershell.exe")

Hunts for shell execution following the exploitation of the Cisco ISE web interface.

UAC Bypass via ComputerDefaults:

index=main sourcetype="WinEventLog:Security" EventCode=4688 NewProcessName="*ComputerDefaults.exe*" ParentProcessName!="explorer.exe"

Silver Fox has been observed using ComputerDefaults-based UAC bypasses in recent 2026 campaigns.

Delivery Method

· SEO poisoning leading to fake software download portals.

Email Samples

N/A (Search-based).

References

SecurityBrief Asia

· hxxps://securitybrief.asia/story/silver-fox-apt-powerg-flaws-expose-key-security-risks

VirusTotal