← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Silver Fox’s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack
WHITE celestre 2025-12-10 Modified: 2026-01-09
39
IOCs
MEDIUM VOLUME
ReliaQuest has assessed with high confidence that an ongoing search engine optimization (SEO) poisoning campaign impersonating Microsoft Teams is the work of the Chinese advanced persistent threat (APT) group “Silver Fox,” (aka Void Arachne) despite false indicators suggesting a Russian threat actor. Active since November 2025, this campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified “ValleyRAT” loader containing Cyrillic elements—likely an intentional move to mislead attribution. Overlapping infrastructure with previous campaigns further indicates its ties to Silver Fox.
related domainrelated serverc2 serverdomain hostinglink httpalibaba clouddomain
Indicators of Compromise (39)
All FileHash-SHA1 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 d73593469375120d2bdb403383777f2737bc2018 2025-12-10
URL http://6esygx.space 2025-12-10
URL http://binancegames.sb 2025-12-10
URL http://qzjfxy.fun 2025-12-10
URL http://teams.baoyingkeji.com 2025-12-10
URL http://teams.chetanagarbatti.com 2025-12-10
URL http://teams.cpeakem.com 2025-12-10
URL http://teams.fin-tastikantioch.com 2025-12-10
URL http://teams.fjzwb.com 2025-12-10
URL http://teams.hardepc.com 2025-12-10
URL http://teams.jqsnzp.com 2025-12-10
URL http://teams.kensun4a.com 2025-12-10
URL http://teams.kkkgenieyesl.cn 2025-12-10
URL http://teams.plsgongmu.com 2025-12-10
URL http://teams.telegramgwxz.com 2025-12-10
URL http://teams.telegramtgxz.com 2025-12-10
URL http://teams.telegramzwxz.com 2025-12-10
URL http://teams.xclyd.com 2025-12-10
URL http://teamscn.com 2025-12-10
URL http://teamszv.com 2025-12-10
domain 6esygx.space 2025-12-10
domain binancegames.sb 2025-12-10
domain qzjfxy.fun 2025-12-10
domain teamscn.com 2025-12-10
domain teamszv.com 2025-12-10
hostname teams.baoyingkeji.com 2025-12-10
hostname teams.chetanagarbatti.com 2025-12-10
hostname teams.cpeakem.com 2025-12-10
hostname teams.fin-tastikantioch.com 2025-12-10
hostname teams.fjzwb.com 2025-12-10
hostname teams.hardepc.com 2025-12-10
hostname teams.jqsnzp.com 2025-12-10
hostname teams.kensun4a.com 2025-12-10
hostname teams.kkkgenieyesl.cn 2025-12-10
hostname teams.plsgongmu.com 2025-12-10
hostname teams.telegramgwxz.com 2025-12-10
hostname teams.telegramtgxz.com 2025-12-10
hostname teams.telegramzwxz.com 2025-12-10
hostname teams.xclyd.com 2025-12-10
References (1)
↗ https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/