{ "type": "Domain", "indicator": "teamscn.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/teamscn.com", "alexa": "http://www.alexa.com/siteinfo/teamscn.com", "indicator": "teamscn.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4147296584, "indicator": "teamscn.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6939ac62e469d4f7f250be99", "name": "Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "The Chinese APT group Silver Fox has launched an SEO poisoning campaign targeting Chinese-speaking users, impersonating Microsoft Teams. The campaign uses a modified ValleyRAT loader with Cyrillic elements to mislead attribution. Silver Fox aims to conduct espionage and financial fraud, posing a significant threat due to its dual mission. The attack chain involves a fake Teams website, malicious ZIP files, and binary data retrieval from XML and JSON files. The malware exploits rundll32.exe for binary proxy execution and establishes C2 communication. Attribution to Silver Fox is based on overlapping infrastructure and links to previous campaigns. Organizations with global operations, especially in China, are advised to implement robust security measures and logging capabilities to defend against this evolving threat.", "modified": "2026-01-09T17:02:40.379000", "created": "2025-12-10T17:22:42.524000", "tags": [ "false flag", "valleyrat", "microsoft teams", "seo poisoning", "apt", "financial fraud", "espionage", "china" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482851d7b116174128285b", "name": "Black Hole of Trust: SEO Poisoning in Silver Fox's Space Odyssey", "description": "Silver Fox, an advanced persistent threat (APT) group based in China, has been active since its emergence in 2022, with significant operations documented through 2024. The group's tactics, techniques, and procedures (TTPs) notably include SEO poisoning to direct users to malicious domains masquerading as legitimate applications, such as Microsoft Teams. This campaign was partially uncovered through an exposed link management panel that is believed to facilitate the tracking of download activity for backdoor installer applications.", "modified": "2026-01-20T16:05:07.439000", "created": "2025-12-21T17:03:13.273000", "tags": [ "remote access", "holdinghands", "gh0st", "seo" ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Financial", "Medical", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 45, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ef71b34855e9d6f6cc118", "name": "Silver Fox APT Targets Users with a Fake Microsoft Teams Application to Steal Data", "description": "Here is a full list of key figures from the 25th anniversary of the release of a report on a \"false flag\" attack on Facebook, Twitter and other social media sites by the end of 2025.", "modified": "2026-01-13T17:02:50.953000", "created": "2025-12-14T17:42:51.653000", "tags": [ "domains", "ctia type", "date", "december", "time", "https", "urls", "hashes", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "domain": 9, "hostname": 14 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693969a28e26e187bc939778", "name": "Silver Fox\u2019s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "A report from the ReliaQuest Threat Research Team highlights the threat posed by a Chinese advanced persistent threat group, known as Silver Fox, to Western-speaking users of Microsoft Teams, including those in China.", "modified": "2026-01-09T12:04:04.160000", "created": "2025-12-10T12:37:54.956000", "tags": [ "cyber threats", "seo poisoning", "threat intelligence", "threat research", "silver fox", "microsoft teams", "valleyrat", "china", "cyrillic", "figure", "chinesespeaking", "zip file", "playbook", "chinese", "powershell", "telegram", "malware", "execution", "next" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 21, "domain": 6, "hostname": 17 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6938d48fd3186d199a50c5bf", "name": "IOC - Silver Fox\u2019s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "ReliaQuest has assessed with high confidence that an ongoing search engine optimization (SEO) poisoning campaign impersonating Microsoft Teams is the work of the Chinese advanced persistent threat (APT) group \u201cSilver Fox,\u201d (aka Void Arachne) despite false indicators suggesting a Russian threat actor. Active since November 2025, this campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified \u201cValleyRAT\u201d loader containing Cyrillic elements\u2014likely an intentional move to mislead attribution. Overlapping infrastructure with previous campaigns further indicates its ties to Silver Fox.", "modified": "2026-01-09T02:04:37.512000", "created": "2025-12-10T02:01:51.553000", "tags": [ "related domain", "related server", "c2 server", "domain hosting", "link http", "alibaba cloud", "domain" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693688b310f79c0680e510d9", "name": "Silver Fox\u2019s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "", "modified": "2026-01-07T08:06:04.816000", "created": "2025-12-08T08:13:39.500000", "tags": [ "cyber threats", "seo poisoning", "threat intelligence", "threat research", "silver fox", "microsoft teams", "valleyrat", "china", "cyrillic", "figure", "chinesespeaking", "zip file", "playbook", "chinese", "powershell", "telegram", "malware", "execution", "next" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693291beda90f7539932d45f", "name": "Silver Foxs Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "The Chinese advanced persistent threat (APT) group known as \"Silver Fox\" has been identified as utilizing deceptive tactics, specifically the use of Cyrillic characters, to impersonate Russian threat actors while executing a Microsoft Teams search engine optimization (SEO) poisoning campaign. This strategy targets organizations in China, employing the \"ValleyRAT\" malware to fulfill two primary objectives: state-sponsored espionage aimed at obtaining sensitive intelligence and engaging in financial fraud to sustain their operations.", "modified": "2026-01-04T08:00:15.700000", "created": "2025-12-05T08:03:10.107000", "tags": [ "cyber threats", "seo poisoning", "threat intelligence", "threat research", "silver fox", "microsoft teams", "valleyrat", "china", "cyrillic", "figure", "chinesespeaking", "zip file", "playbook", "chinese", "powershell", "telegram", "malware", "execution", "next", "related domain", "related server", "c2 server", "iocs artifact", "details http", "domain hosting", "link http", "alibaba cloud", "domain", "related serve" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1606.002", "name": "SAML Tokens", "display_name": "T1606.002 - SAML Tokens" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693969737baf4417638d4b7d", "name": "Threat Actors Poisoning SEO Results to Attack Organizations With Fake Microsoft Teams Installer", "description": "A sophisticated cyber attack using a fake Microsoft Teams website to lure users into downloading malware has been identified as a Chinese state-sponsored espionage campaign, according to research by Reliaquest security analysts and researchers.", "modified": "2025-12-10T12:37:07.037000", "created": "2025-12-10T12:37:07.037000", "tags": [ "microsoft teams", "source", "reliaquest", "russian", "november", "valleyrat", "apt group", "silver", "cyrillic", "silver fox", "chinese" ], "references": [ "https://cybersecuritynews.com/threat-actors-poisoning-seo-results/" ], "public": 1, "adversary": "Chinese", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "171 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecuritynews.com/threat-actors-poisoning-seo-results/", "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack", "Book1.csv", "Book2.csv", "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/", "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "related": { "alienvault": { "adversary": [ "Void Arachne" ], "malware_families": [ "Valleyrat" ], "industries": [] }, "other": { "adversary": [ "Chinese", "Silver Fox", "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing" ], "malware_families": [ "Valleyrat" ], "industries": [ "Financial", "Medical", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6939ac62e469d4f7f250be99", "name": "Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "The Chinese APT group Silver Fox has launched an SEO poisoning campaign targeting Chinese-speaking users, impersonating Microsoft Teams. The campaign uses a modified ValleyRAT loader with Cyrillic elements to mislead attribution. Silver Fox aims to conduct espionage and financial fraud, posing a significant threat due to its dual mission. The attack chain involves a fake Teams website, malicious ZIP files, and binary data retrieval from XML and JSON files. The malware exploits rundll32.exe for binary proxy execution and establishes C2 communication. Attribution to Silver Fox is based on overlapping infrastructure and links to previous campaigns. Organizations with global operations, especially in China, are advised to implement robust security measures and logging capabilities to defend against this evolving threat.", "modified": "2026-01-09T17:02:40.379000", "created": "2025-12-10T17:22:42.524000", "tags": [ "false flag", "valleyrat", "microsoft teams", "seo poisoning", "apt", "financial fraud", "espionage", "china" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482851d7b116174128285b", "name": "Black Hole of Trust: SEO Poisoning in Silver Fox's Space Odyssey", "description": "Silver Fox, an advanced persistent threat (APT) group based in China, has been active since its emergence in 2022, with significant operations documented through 2024. The group's tactics, techniques, and procedures (TTPs) notably include SEO poisoning to direct users to malicious domains masquerading as legitimate applications, such as Microsoft Teams. This campaign was partially uncovered through an exposed link management panel that is believed to facilitate the tracking of download activity for backdoor installer applications.", "modified": "2026-01-20T16:05:07.439000", "created": "2025-12-21T17:03:13.273000", "tags": [ "remote access", "holdinghands", "gh0st", "seo" ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Financial", "Medical", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 45, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ef71b34855e9d6f6cc118", "name": "Silver Fox APT Targets Users with a Fake Microsoft Teams Application to Steal Data", "description": "Here is a full list of key figures from the 25th anniversary of the release of a report on a \"false flag\" attack on Facebook, Twitter and other social media sites by the end of 2025.", "modified": "2026-01-13T17:02:50.953000", "created": "2025-12-14T17:42:51.653000", "tags": [ "domains", "ctia type", "date", "december", "time", "https", "urls", "hashes", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "domain": 9, "hostname": 14 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693969a28e26e187bc939778", "name": "Silver Fox\u2019s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "A report from the ReliaQuest Threat Research Team highlights the threat posed by a Chinese advanced persistent threat group, known as Silver Fox, to Western-speaking users of Microsoft Teams, including those in China.", "modified": "2026-01-09T12:04:04.160000", "created": "2025-12-10T12:37:54.956000", "tags": [ "cyber threats", "seo poisoning", "threat intelligence", "threat research", "silver fox", "microsoft teams", "valleyrat", "china", "cyrillic", "figure", "chinesespeaking", "zip file", "playbook", "chinese", "powershell", "telegram", "malware", "execution", "next" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 21, "domain": 6, "hostname": 17 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6938d48fd3186d199a50c5bf", "name": "IOC - Silver Fox\u2019s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "ReliaQuest has assessed with high confidence that an ongoing search engine optimization (SEO) poisoning campaign impersonating Microsoft Teams is the work of the Chinese advanced persistent threat (APT) group \u201cSilver Fox,\u201d (aka Void Arachne) despite false indicators suggesting a Russian threat actor. Active since November 2025, this campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified \u201cValleyRAT\u201d loader containing Cyrillic elements\u2014likely an intentional move to mislead attribution. Overlapping infrastructure with previous campaigns further indicates its ties to Silver Fox.", "modified": "2026-01-09T02:04:37.512000", "created": "2025-12-10T02:01:51.553000", "tags": [ "related domain", "related server", "c2 server", "domain hosting", "link http", "alibaba cloud", "domain" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693688b310f79c0680e510d9", "name": "Silver Fox\u2019s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "", "modified": "2026-01-07T08:06:04.816000", "created": "2025-12-08T08:13:39.500000", "tags": [ "cyber threats", "seo poisoning", "threat intelligence", "threat research", "silver fox", "microsoft teams", "valleyrat", "china", "cyrillic", "figure", "chinesespeaking", "zip file", "playbook", "chinese", "powershell", "telegram", "malware", "execution", "next" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693291beda90f7539932d45f", "name": "Silver Foxs Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack", "description": "The Chinese advanced persistent threat (APT) group known as \"Silver Fox\" has been identified as utilizing deceptive tactics, specifically the use of Cyrillic characters, to impersonate Russian threat actors while executing a Microsoft Teams search engine optimization (SEO) poisoning campaign. This strategy targets organizations in China, employing the \"ValleyRAT\" malware to fulfill two primary objectives: state-sponsored espionage aimed at obtaining sensitive intelligence and engaging in financial fraud to sustain their operations.", "modified": "2026-01-04T08:00:15.700000", "created": "2025-12-05T08:03:10.107000", "tags": [ "cyber threats", "seo poisoning", "threat intelligence", "threat research", "silver fox", "microsoft teams", "valleyrat", "china", "cyrillic", "figure", "chinesespeaking", "zip file", "playbook", "chinese", "powershell", "telegram", "malware", "execution", "next", "related domain", "related server", "c2 server", "iocs artifact", "details http", "domain hosting", "link http", "alibaba cloud", "domain", "related serve" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1606.002", "name": "SAML Tokens", "display_name": "T1606.002 - SAML Tokens" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 19, "domain": 5, "hostname": 14 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693969737baf4417638d4b7d", "name": "Threat Actors Poisoning SEO Results to Attack Organizations With Fake Microsoft Teams Installer", "description": "A sophisticated cyber attack using a fake Microsoft Teams website to lure users into downloading malware has been identified as a Chinese state-sponsored espionage campaign, according to research by Reliaquest security analysts and researchers.", "modified": "2025-12-10T12:37:07.037000", "created": "2025-12-10T12:37:07.037000", "tags": [ "microsoft teams", "source", "reliaquest", "russian", "november", "valleyrat", "apt group", "silver", "cyrillic", "silver fox", "chinese" ], "references": [ "https://cybersecuritynews.com/threat-actors-poisoning-seo-results/" ], "public": 1, "adversary": "Chinese", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "171 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "teamscn.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "teamscn.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780210723.9982376 }