Cybersecurity researchers have uncovered a malicious campaign where attackers create counterfeit Microsoft Teams download websites to distribute ValleyRAT, a potent remote access trojan. This malware can steal information, log keystrokes, and enable remote control over compromised systems.
Deceptive Campaign Unveiled
Launched in mid-April 2026, this campaign targets unsuspecting individuals attempting to acquire legitimate collaboration software. Cybercriminals have developed websites that closely mimic the official Microsoft Teams download page, spreading these deceptive links primarily through the X platform for maximum visibility.
Visitors to these sites encounter what appears to be a valid download button, leading to a zip file containing a seemingly legitimate installer. However, this installer is actually weaponized to deploy malicious components.
Technical Insights and Chinese Origins
Experts from K7 Security Labs analyzed the campaign, revealing that the malware utilizes a DLL sideloading technique via a Tencent executable called GameBox.exe. Moreover, Chinese language elements within the fake sites and logs indicate a likely origin from China and potential connections to the SilverFox APT group.
The attack is particularly insidious as it simultaneously installs a genuine version of Microsoft Teams, leaving victims unaware of the ongoing malicious activity.
Infection Mechanism and Defense Strategies
The infection begins when a user downloads and extracts the malicious zip file from domains like teams-securecall[.]com. A compromised installer silently deploys a loader, utility.dll, and essential files, executing PowerShell commands to modify Windows Defender settings and conceal its presence.
Key components include an AES-encrypted file, user.dat, which is decrypted in memory, and ValleyRAT, which executes through shellcode injection, dynamically resolving Windows functions to evade detection.
To mitigate such threats, users should download software only from verified vendor sites and verify digital signatures. Organizations must enforce application allowlisting and monitor for unusual PowerShell activity to enhance their security posture.
Indicators of compromise include specific file hashes and domains used in the attack. Security professionals should re-fang these within controlled environments to gather further intelligence.
Stay updated on cybersecurity developments by following trusted sources and implementing robust protective measures to safeguard against evolving threats like ValleyRAT.
