A malware campaign is using fake Microsoft Teams download pages promoted on X to lure corporate users into installing trojanized ZIP archives that deploy ValleyRAT. Researchers said the infection chain relies on an NSIS installer and DLL sideloading through Tencent’s legitimate GameBox.exe, then uses PowerShell to add Windows Defender exclusions, hide files, and establish persistence through unauthorized service creation and registry artifacts including _CCGDAT.
Once executed, the loader decrypts staged payloads from user.dat in memory using AES and XOR, with additional evasion through API hashing and reflective loading. The final ValleyRAT payload captures keystrokes, clipboard contents, and active-window activity before exfiltrating data to command-and-control infrastructure at 103.215.77.17; researchers said the campaign shows Chinese-language artifacts and behavioral overlaps that likely tie it to the SilverFox APT cluster.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
LevelBlue reported a ValleyRAT infection chain first observed in 2026 in which phishing emails in Traditional Chinese or Japanese delivered a ZIP archive containing a legitimate VLC executable and a malicious libvlc.dll for DLL sideloading. The malware established persistence, downloaded an RC4-encrypted payload, and injected ValleyRAT into a suspended rundll32.exe process for in-memory execution.
The reporting assessed the activity as likely linked to the SilverFox APT group, citing Chinese-language artifacts, log data, and behavioral overlap with prior ValleyRAT activity. One source also described the campaign as likely linked to China.
Researchers reported that the ValleyRAT variant captured keystrokes, clipboard contents, and active window activity before exfiltrating data. The campaign's command-and-control infrastructure included communications to 103.215.77.17.
Analysis revealed the infection chain used an NSIS-based installer, DLL sideloading through Tencent's legitimate GameBox.exe, and PowerShell to add Windows Defender exclusions. The malware then decrypted staged payloads in memory and established persistence through hidden files, registry artifacts, and a service.
Researchers identified a malware campaign in mid-April in which fake Microsoft Teams download sites were promoted on X to deliver trojanized ZIP archives. The lures targeted corporate users seeking enterprise communication software.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
levelblue.com
Open sourcesecurityonline.info
Open sourcelabs.k7computing.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.