A quietly expanding cyber campaign has revealed how familiar software names, search engines, and tax-related anxieties are being weaponized to distribute a sophisticated remote access trojan, blurring the lines between criminal profit, espionage tactics, and global cyber deception.
A Malware Campaign Hidden in Plain Sight
Security researchers have traced a broad malware distribution effort to ZIP archives circulating through search results and phishing lures that masquerade as installers for popular applications. At the center of the campaign is ValleyRAT, a modular remote access trojan delivered through an NSIS-based installer designed to appear routine to unsuspecting users.
According to findings shared by NCC Group, the installer performs several actions before the victim realizes anything is wrong. It configures exclusions in Microsoft Defender Antivirus, establishes persistence using scheduled tasks, and then connects to a remote server to retrieve the final ValleyRAT payload. Once installed, the malware communicates externally and waits for further instructions, enabling operators to deploy additional capabilities on demand.
Data from an exposed link management panel used in the campaign showed hundreds of clicks originating from mainland China, with additional activity across Asia-Pacific, Europe, and North America. Researchers said this confirmed both the geographic spread of the operation and its apparent focus on Chinese-speaking users.
False Flags and Global Attribution Challenges
The activity overlaps with earlier reporting by ReliaQuest, which suggested the operators attempted to complicate attribution by mimicking the infrastructure and tradecraft of Russian-linked threat actors. In those cases, attackers used websites themed around Microsoft Teams to target organizations in China, blending familiar corporate branding with deceptive download links.
This deliberate ambiguity reflects a broader trend in advanced cybercrime, where groups increasingly borrow each other’s techniques to frustrate investigators. Analysts noted that such false-flag operations make it harder to distinguish between financially motivated campaigns and those with intelligence-gathering objectives, especially when infrastructure and malware families are reused across regions.
From SEO Poisoning to Popular Software Imitations
Investigators found that the campaign relied heavily on search engine optimization poisoning, a technique that pushes malicious sites to the top of search results. The bogus websites impersonated a wide range of widely used applications, including Microsoft Teams, Telegram, Signal, OpenVPN, WPS Office, and several VPN and productivity tools popular with Chinese-speaking users.
The exposed panel tracked daily and cumulative download clicks, providing insight into how effectively victims were being funneled toward infected installers. Analysis of IP addresses tied to these clicks showed at least 217 originating from China, followed by smaller numbers from the United States, Hong Kong, Taiwan, and Australia.
Researchers at NCC Group said the breadth of impersonated software underscored how attackers are exploiting trust in well-known brands to scale their operations quietly across borders.
India-Tax Lures and a Sophisticated Kill Chain
A parallel strand of the campaign, documented by CloudSEK, revealed a focused push into India using income tax–themed phishing emails. These messages carried decoy PDF attachments that claimed to originate from India’s Income Tax Department. Opening the document redirected recipients to a domain hosting a ZIP file labeled “tax affairs.zip.”
Inside was an NSIS installer that leveraged a legitimate executable associated with Thunder, a Windows download manager developed by Xunlei, alongside a malicious DLL sideloaded to hijack execution. The DLL disabled the Windows Update service, conducted anti-analysis and anti-sandbox checks, and then injected the final ValleyRAT payload into a hollowed explorer.exe process.
ValleyRAT’s architecture allows registry-resident plugins, delayed beaconing, and on-demand module delivery, enabling functions such as keylogging, credential harvesting, surveillance, and defense evasion. CloudSEK researchers said infections linked to this activity date back to July 2025, with victims identified not only in India and China but also across Asia-Pacific, Europe, and North America.
The threat actor behind the campaign, tracked as Silver Fox, has been active since 2022 and is also known by several other aliases. Researchers describe the group as aggressive and adaptable, with operations spanning espionage, financial crime, cryptocurrency mining, and operational disruption—often delivered through SEO poisoning and phishing that blur the boundary between routine software downloads and covert compromise.
