Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Fake Microsoft Teams Downloads Deliver ValleyRAT Malware

Fake Microsoft Teams Downloads Deliver ValleyRAT Malware

Posted on May 21, 2026 By CWS

Cybersecurity researchers have uncovered a malicious campaign where attackers create counterfeit Microsoft Teams download websites to distribute ValleyRAT, a potent remote access trojan. This malware can steal information, log keystrokes, and enable remote control over compromised systems.

Deceptive Campaign Unveiled

Launched in mid-April 2026, this campaign targets unsuspecting individuals attempting to acquire legitimate collaboration software. Cybercriminals have developed websites that closely mimic the official Microsoft Teams download page, spreading these deceptive links primarily through the X platform for maximum visibility.

Visitors to these sites encounter what appears to be a valid download button, leading to a zip file containing a seemingly legitimate installer. However, this installer is actually weaponized to deploy malicious components.

Technical Insights and Chinese Origins

Experts from K7 Security Labs analyzed the campaign, revealing that the malware utilizes a DLL sideloading technique via a Tencent executable called GameBox.exe. Moreover, Chinese language elements within the fake sites and logs indicate a likely origin from China and potential connections to the SilverFox APT group.

The attack is particularly insidious as it simultaneously installs a genuine version of Microsoft Teams, leaving victims unaware of the ongoing malicious activity.

Infection Mechanism and Defense Strategies

The infection begins when a user downloads and extracts the malicious zip file from domains like teams-securecall[.]com. A compromised installer silently deploys a loader, utility.dll, and essential files, executing PowerShell commands to modify Windows Defender settings and conceal its presence.

Key components include an AES-encrypted file, user.dat, which is decrypted in memory, and ValleyRAT, which executes through shellcode injection, dynamically resolving Windows functions to evade detection.

To mitigate such threats, users should download software only from verified vendor sites and verify digital signatures. Organizations must enforce application allowlisting and monitor for unusual PowerShell activity to enhance their security posture.

Indicators of compromise include specific file hashes and domains used in the attack. Security professionals should re-fang these within controlled environments to gather further intelligence.

Stay updated on cybersecurity developments by following trusted sources and implementing robust protective measures to safeguard against evolving threats like ValleyRAT.

Cyber Security News Tags:APT group, cyber attack, cyber threat, Cybersecurity, data theft, Hacking, Malware, Microsoft Teams, Trojan, ValleyRAT

Post navigation

Previous Post: Antv NPM Packages Compromised in Supply Chain Attack
Next Post: Malware Masquerades as Trusted Apps to Steal Data

Related Posts

Steganography in Images: A New Cybersecurity Threat Steganography in Images: A New Cybersecurity Threat Cyber Security News
VS Code Extension Weaponized With Two Lines of Code Leads to Supply Chain Attack VS Code Extension Weaponized With Two Lines of Code Leads to Supply Chain Attack Cyber Security News
New Research Uncovers 28 Unique IP Addresses and 85 Domains Hosting Carding Markets New Research Uncovers 28 Unique IP Addresses and 85 Domains Hosting Carding Markets Cyber Security News
NVIDIA NSIGHT Graphics for Linux Vulnerability Allows Code Execution Attacks NVIDIA NSIGHT Graphics for Linux Vulnerability Allows Code Execution Attacks Cyber Security News
Elite Cyber Veterans Launch Blast Security with M to Turn Cloud Detection into Prevention Elite Cyber Veterans Launch Blast Security with $10M to Turn Cloud Detection into Prevention Cyber Security News
Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025 Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025 Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Cross-Platform QuimaRAT MaaS Targets Multiple OS
  • TrojPix Hack Threatens Air-Gapped Computers
  • TrojPix Exploits Pixel Modulation to Leak Data
  • Critical Opera GX Flaw Exposes User Data to Hackers
  • SkillCloak Evades AI Scanners with New Techniques

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Cross-Platform QuimaRAT MaaS Targets Multiple OS
  • TrojPix Hack Threatens Air-Gapped Computers
  • TrojPix Exploits Pixel Modulation to Leak Data
  • Critical Opera GX Flaw Exposes User Data to Hackers
  • SkillCloak Evades AI Scanners with New Techniques

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark