Threat actors have launched multiple campaigns distributing the ValleyRAT remote access trojan (RAT), targeting both organizations in China and job seekers. In one campaign, the group known as Silver Fox used search engine optimization (SEO) poisoning and fake Microsoft Teams installers to lure Chinese-speaking users, including those in Western companies operating in China, into downloading a trojanized setup file. The installer, disguised with Russian linguistic elements to mislead attribution, deploys ValleyRAT, which enables remote control, data exfiltration, and persistent access to infected systems. The malware loader checks for security software like 360 Total Security and manipulates Microsoft Defender exclusions to evade detection.
A separate ValleyRAT campaign has been observed targeting job seekers via malicious emails that leverage a weaponized Foxit PDF Reader for DLL side-loading. This campaign uses social engineering to trick users into executing the malware, which then allows attackers to monitor activity, steal sensitive data, and potentially compromise HR professionals as well. Both campaigns demonstrate a high level of sophistication, utilizing layered obfuscation, dynamic execution techniques, and strategic targeting to maximize infection rates and evade security controls. Security vendors have updated detection and hunting capabilities to address these threats, emphasizing the need for vigilance among organizations and individuals alike.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
The Hacker News reported that Silver Fox was using Russian-language elements and infrastructure in a false-flag effort to resemble a Russian threat group while conducting the ValleyRAT campaign in China. The report also highlighted the campaign's targeting, malware chain, and attribution details.
Trend Micro disclosed research on a related ValleyRAT/PureRAT campaign that targeted job seekers and abused Foxit PDF Reader for DLL side-loading. The report publicly documented the malware delivery technique and victim lure used in the operation.
During the November 2025 campaign, Silver Fox distributed trojanized Microsoft Teams and Telegram installers to infect victims with ValleyRAT. The infection chain included DLL side-loading, persistence mechanisms, remote access capabilities, and in some cases BYOVD to disable or evade security tools.
In November 2025, the threat actor Silver Fox launched a campaign targeting Chinese-speaking users and Western organizations operating in China. The operation used SEO poisoning and software-themed lures to deliver ValleyRAT/Winos 4.0 for espionage and financial gain.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcetrendmicro.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.