A China-linked threat group is distributing a capable remote access trojan through websites designed to look like legitimate Microsoft Teams download pages — bundling working software with a payload that monitors clipboards, logs keystrokes, and maintains persistent contact with attacker-controlled infrastructure.
The SilverFox Campaign
K7 Security Labs identified an active campaign by SilverFox, a China-linked advanced persistent threat group, in which ValleyRAT malware is distributed through fraudulent Microsoft Teams download websites. The sites documented by researchers include teams-securecall[.]com and teamszs[.]com. Visitors who download from these sites receive trojanized NSIS installers that bundle both genuine Microsoft Teams software and the ValleyRAT payload — a delivery method designed to avoid suspicion by ensuring the expected application installs and functions normally alongside the malicious component.
The campaign began in mid-April 2026, with initial discovery occurring via X. K7 Security Labs recovered three malicious archive samples with distinct cryptographic hashes, indicating the campaign has undergone active iterative development since it launched.
ValleyRAT’s Capabilities on Compromised Systems
ValleyRAT is a remote access trojan with a range of post-compromise capabilities. Clipboard monitoring via the Windows API function GetClipboardData targets credentials and cryptocurrency wallet addresses — content that users frequently copy and paste without considering interception risk. The trojan also performs keystroke logging, maintains persistent command-and-control communication over TCP, and supports command execution enabling further attacker-directed activity on the compromised host.
The combination of clipboard and keystroke capture creates significant exposure for organizations where employees handle credentials or cryptocurrency assets. Wallet addresses in particular are rarely memorized and almost always pasted from clipboard storage, making clipboard monitoring an efficient targeting mechanism for financially motivated operations.
Attribution to SilverFox and Historical Targeting Patterns
K7 Security Labs attributed the campaign to SilverFox APT based on technical indicator overlap with previously documented SilverFox activity patterns. The group has historically targeted organizations in the Asia-Pacific region with credential-theft and corporate espionage objectives. Cryptocurrency wallet targeting in the current campaign is consistent with financially motivated operations observed in prior SilverFox activity.
The use of three samples with distinct hashes across a campaign that is only weeks old suggests the group is iterating on delivery or evasion components — a common practice when threat actors test which variants evade detection by endpoint security products already deployed in target environments.
Why the Microsoft Teams Lure Works
The lure vector exploits organizational trust in familiar software brands, particularly in environments where IT procurement is decentralized and employees may obtain software from non-official sources. Microsoft Teams has become a standard enterprise collaboration tool, and employees who need to install or reinstall it may turn to a web search rather than a controlled software distribution system — especially in smaller organizations or remote work environments where IT oversight is limited.
The trojanized installer’s use of a genuine Teams application alongside the malicious payload is a deliberate design choice that reduces the likelihood of immediate suspicion. The software works. Alerts don’t trigger. The RAT establishes its C2 channel quietly in the background while the user proceeds with their workday. That combination of a plausible lure, functional software delivery, and a capable payload reflects the operational sophistication K7 Security Labs associates with SilverFox as a persistent threat group with established tooling and infrastructure.
