A new cybersecurity threat actor— Silver Fox —has quickly risen to the forefront of this new digital battleground. They are conducting a highly technical FSO to create the appearance of a Russian threat actor. This campaign, which exclusively targets organizations in China, underscores Silver Fox’s changing tactics and strategies to deploy malware more effectively.
Operational since November 2025, Silver Fox utilizes a multi-layered approach to disseminate its malware, employing various deception techniques to mislead victims and security experts alike. Their collective is organized using a second-stage orchestrator, the mighty Ms. This tool drops more malicious components but changes file permissions in order to evade redelivery cleanup efforts. This approach produces a scheduled WindowsTask that runs an encoded Visual Basic for Applications (VBA) script. Unlike its predecessors, it’s designed to ensure persistence on the systems it compromises.
The Mechanism of Attack
Silver Fox starts its operations with the release of a fake Microsoft Teams installation file. This is a big shift from previous initiatives that used other widely-known apps. The installer—instead of being named “MSTicamsSetup.zip,” it’s rather cryptically named “MSTчamsSetup.zip”—is hosted on an Alibaba Cloud URL. It fuses Russian language elements to purposely obfuscate attribution attempts.
“On the surface, victims see a normal installer,” – Maurice Fielenbach
Once run, the installer creates malicious exclusions in Microsoft Defender, drops a password-protected archive and extracts a second executable. The second-stage orchestrator, men.exe, drops additional payloads into a sub-directory of the public user profile. In addition to being difficult to remove or uninstall, it creates other mechanisms to make sure that it stays on the victim’s system indefinitely.
“This second-stage orchestrator, men.exe, deploys additional components into a folder under the public user profile, manipulates file permissions to resist cleanup, and sets up persistence through a scheduled task that runs an encoded VBE script,” – Maurice Fielenbach
Exploiting Vulnerabilities
More sophisticated approaches, such as the Bring Your Own Vulnerable Driver (BYOVD) technique, are used by Silver Fox to increase their malware’s effectiveness. Using ValleyRAT via “NSecKrnl64.sys” loaded through “NVIDIA.exe,” the group is able to run ValleyRAT malware while stopping processes of installed security solutions. This tactic gives them the opportunity to list out running processes and cut down any processes related to endpoint security.
Silver Fox deploys a component we’re calling “bypass.exe” in addition to ValleyRAT. This component can be exploited for privilege escalation by bypassing User Account Control (UAC). The operation concludes when the final DLLs are loaded into the memory space of “rundll32.exe.” This well-known Windows process is used to hide their malicious intent.
“In the background, the malware stages files, deploys drivers, tampers with defenses, and finally launches a ValleyRat beacon that keeps long-term access to the system,” – Maurice Fielenbach
Targeting and Objectives
The campaign is primarily focused on Chinese-speaking users, and may include those tied to Western organizations working within the boundaries of China. This choice of target reflects an overarching strategy aimed at financial gain through theft, scams, and fraud while simultaneously collecting sensitive intelligence for geopolitical advantage.
“This campaign targets Chinese-speaking users, including those within Western organizations operating in China, using a modified ‘ValleyRAT’ loader containing Cyrillic elements – likely an intentional move to mislead attribution,” – Hayden Evans
Even as Silver Fox fizzles out, organizations still contend with short-term threats like data exfiltration and ransomware payments. The group’s tactics allow it to maintain plausible deniability, operating discreetly without direct government funding.
“Targets face immediate risks such as data breaches, financial losses, and compromised systems, while Silver Fox maintains plausible deniability, allowing it to operate discreetly without direct government funding,” – ReliaQuest