Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Fake Microsoft Teams Downloads Deliver ValleyRAT Malware

Fake Microsoft Teams Downloads Deliver ValleyRAT Malware

Posted on May 21, 2026 By CWS

Cybersecurity researchers have uncovered a malicious campaign where attackers create counterfeit Microsoft Teams download websites to distribute ValleyRAT, a potent remote access trojan. This malware can steal information, log keystrokes, and enable remote control over compromised systems.

Deceptive Campaign Unveiled

Launched in mid-April 2026, this campaign targets unsuspecting individuals attempting to acquire legitimate collaboration software. Cybercriminals have developed websites that closely mimic the official Microsoft Teams download page, spreading these deceptive links primarily through the X platform for maximum visibility.

Visitors to these sites encounter what appears to be a valid download button, leading to a zip file containing a seemingly legitimate installer. However, this installer is actually weaponized to deploy malicious components.

Technical Insights and Chinese Origins

Experts from K7 Security Labs analyzed the campaign, revealing that the malware utilizes a DLL sideloading technique via a Tencent executable called GameBox.exe. Moreover, Chinese language elements within the fake sites and logs indicate a likely origin from China and potential connections to the SilverFox APT group.

The attack is particularly insidious as it simultaneously installs a genuine version of Microsoft Teams, leaving victims unaware of the ongoing malicious activity.

Infection Mechanism and Defense Strategies

The infection begins when a user downloads and extracts the malicious zip file from domains like teams-securecall[.]com. A compromised installer silently deploys a loader, utility.dll, and essential files, executing PowerShell commands to modify Windows Defender settings and conceal its presence.

Key components include an AES-encrypted file, user.dat, which is decrypted in memory, and ValleyRAT, which executes through shellcode injection, dynamically resolving Windows functions to evade detection.

To mitigate such threats, users should download software only from verified vendor sites and verify digital signatures. Organizations must enforce application allowlisting and monitor for unusual PowerShell activity to enhance their security posture.

Indicators of compromise include specific file hashes and domains used in the attack. Security professionals should re-fang these within controlled environments to gather further intelligence.

Stay updated on cybersecurity developments by following trusted sources and implementing robust protective measures to safeguard against evolving threats like ValleyRAT.

Cyber Security News Tags:APT group, cyber attack, cyber threat, Cybersecurity, data theft, Hacking, Malware, Microsoft Teams, Trojan, ValleyRAT

Post navigation

Previous Post: Antv NPM Packages Compromised in Supply Chain Attack
Next Post: Malware Masquerades as Trusted Apps to Steal Data

Related Posts

Microsoft Exchange Online Misidentifies Emails as Phishing Microsoft Exchange Online Misidentifies Emails as Phishing Cyber Security News
Threat Actor’s Using Copyright Takedown Claims to Deploy Malware Threat Actor’s Using Copyright Takedown Claims to Deploy Malware Cyber Security News
UniFi OS Server Vulnerability Allows Root Access UniFi OS Server Vulnerability Allows Root Access Cyber Security News
System Admins Beware! Weaponized Putty Ads in Bing Installs Remote Access Tools System Admins Beware! Weaponized Putty Ads in Bing Installs Remote Access Tools Cyber Security News
Cyber Conflict Escalates as Iran Faces Major Disruptions Cyber Conflict Escalates as Iran Faces Major Disruptions Cyber Security News
Ollama Flaw Threatens 300,000 Global Servers Ollama Flaw Threatens 300,000 Global Servers Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • TrojPix Exploits Pixel Modulation to Leak Data
  • Critical Opera GX Flaw Exposes User Data to Hackers
  • SkillCloak Evades AI Scanners with New Techniques
  • SSH Honeypots Overlook Key Non-Interactive Attacks
  • Opera GX Flaw Allowed Silent Mod Installs, Data Theft

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • TrojPix Exploits Pixel Modulation to Leak Data
  • Critical Opera GX Flaw Exposes User Data to Hackers
  • SkillCloak Evades AI Scanners with New Techniques
  • SSH Honeypots Overlook Key Non-Interactive Attacks
  • Opera GX Flaw Allowed Silent Mod Installs, Data Theft

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark