Threat Actors Poisoning SEO Results to Attack Organizations With Fake Microsoft Teams Installer

A sophisticated cyber campaign is exploiting search engine optimization (SEO) to distribute a malicious installer disguised as Microsoft Teams, targeting unsuspecting organizations.

This campaign, active since November 2025, uses a fake Microsoft Teams website to lure users into downloading a trojanized application, which then deploys the “ValleyRAT” malware.

This malware gives attackers remote control over infected systems, allowing them to steal sensitive data, execute commands, and maintain a persistent presence within the network.

The attack begins when users, searching for Microsoft Teams, are directed to a malicious website through poisoned search results.

The website, teamscn[.]com, is a typosquatted domain designed to target Chinese-speaking users.

Reliaquest security analysts/researchers noted that the threat actors, identified as the Chinese APT group “Silver Fox,” have a dual objective: conducting state-sponsored espionage and engaging in cybercrime for financial gain.

The use of a fake Microsoft Teams application as a lure is a strategic choice, given the widespread use of the collaboration platform in corporate environments, which increases the likelihood of a successful infection.

What makes this campaign particularly deceptive is the use of “false flag” techniques to mislead security researchers.

The malware loader, for instance, contains Cyrillic characters and Russian language elements, a deliberate tactic to attribute the attack to Russian threat actors.

However, Reliaquest security researchers have linked the campaign to “Silver Fox” with high confidence, citing overlapping infrastructure with previous attacks.

This misdirection is a calculated move to complicate attribution and slow down incident response efforts, giving the attackers more time to achieve their objectives.

Infection and Evasion

The infection process is a multi-stage operation designed to bypass security measures and deceive users.

It starts with the download of a ZIP file named MSTчamsSetup.zip. This file contains a trojanized executable, Setup.exe.

Once executed, Setup.exe performs several actions to compromise the system. It first checks for the presence of “360 Total Security,” a popular antivirus solution in China.

It then uses a PowerShell command to add exclusions for the C:, D:, E:, and F: drives in Windows Defender, preventing the antivirus from scanning these locations.

The command used is:-

powershellpowershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath C:, D:,E:,F:

Following this, it executes Verifier.exe, a trojanized but legitimate-looking Microsoft installer that is presented in Russian. This application then reads binary data from a Profiler.json file.

To complete the deception, the malware installs a legitimate version of Microsoft Teams and creates a desktop shortcut, making the user believe the installation was successful while the malware operates covertly in the background.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.