Fake Microsoft Teams Downloads Deploy ValleyRAT Malware
Threat actors are actively deploying a deceptive campaign that leverages fake Microsoft Teams download websites to trick users into installing The threat actors built lookalike websites that closely...
Threat actors are actively deploying a deceptive campaign that leverages fake Microsoft Teams download websites to trick users into installing
Table Of Content
The threat actors built lookalike websites that closely imitate the official Microsoft Teams download page. These fraudulent sites were shared openly on the X platform, giving the campaign a wide initial reach.
Visitors are presented with what appears to be a genuine download button, leading them to retrieve a zip archive that contains a weaponized installer.
Researchers at K7 Security Labs, who identified and analyzed this campaign, found that the delivered payload leverages a DLL sideloading chain through a legitimate Tencent executable known as GameBox.exe.
The analysis uncovered Chinese language artifacts embedded within the fake sites and supporting log data, strongly suggesting the threat activity originates from China.
The researchers also linked the campaign to the SilverFox APT group. What makes this campaign especially dangerous is how well it masks its true intent.
Once the installer runs, it quietly drops malicious components in the background while simultaneously installing a real copy of Microsoft Teams on the victim’s device, even placing a desktop shortcut to avoid raising any alarms.
The victim walks away thinking they just installed a legitimate app, with no idea that a fully operational trojan is now running on their system.
K7 Security Labs said in a report shared with Cyber Security News that this campaign reflects a well-structured intrusion chain combining social engineering with advanced post-exploitation capabilities, making it particularly effective against unsuspecting users.
Fake Microsoft Teams Downloads
The infection chain begins the moment a user visits one of the fraudulent domains, such as teams-securecall[.]com and teamszs[.]com.
Upon downloading and extracting the zip file, the victim unknowingly triggers a malicious NSIS-based installer.
Instead of simply installing software, this installer silently drops a loader, a malicious DLL called utility.dll, and several supporting files across the system.
To stay hidden, the malware runs PowerShell commands that modify Windows Defender settings, adding exclusions for both its working folder and the malicious DLL file.
It also hides its copied files using system-level attribute changes, making them invisible during casual inspection. A service named _CCGDAT is then created to ensure the malware restarts automatically every time the system boots.
The core payload, a file called user.dat, is stored in an AES-encrypted form and decrypted entirely in memory at runtime, never touching the disk in its final form.
The malware then uses shellcode injection to load ValleyRAT directly into the current running process, and employs API hashing to resolve Windows functions dynamically, making it harder for security tools to detect what it is doing.
ValleyRAT’s Spying Capabilities and Network Activity
Once active, ValleyRAT monitors the clipboard in real time using a Windows API call, targeting sensitive data such as copied passwords, cryptocurrency wallet addresses, and other private information.
It also logs keystrokes and stores that collected data locally before sending it back to the attacker’s command and control server.
The third-stage payload is fetched live from the C2 server in an XOR-encrypted format and decrypted in memory.
Since this payload is pulled dynamically, the threat actor can swap it out at any time, giving them flexibility to shift tactics or deploy entirely different tools.
This design also means the attack remains effective even if individual components are flagged and blocked.
To protect against this type of threat, users should always download software directly from official vendor websites and avoid links shared on social media.
Organizations should enforce application allowlisting, monitor for unexpected PowerShell activity, and keep endpoint detection tools updated to catch behavioral threats.
Verifying the digital signature of any installer before running it can also help prevent trojanized packages from executing.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (MD5) | 709604CE58E3F8255587AC9253DB6994 | 98653.2.87.teamsx.zip — Trojan (006ddd9e1) |
| File Hash (MD5) | 18F3E85D7237E3CAC0AD13BDCF513F0F | Utility.dll — Trojan (006ddd9e1) |
| File Hash (MD5) | 8F9DE887E9AED9D580F386BA2D191319 | User.dat — Trojan (0001140e1) |
| Domain | teams-securecall[.]com | Fake Microsoft Teams distribution site |
| Domain | teamszs[.]com | Fake Microsoft Teams distribution site |
| IP Address | 103[.]215[.]77[.]17 | ValleyRAT Command and Control (C2) server |
| File Name | 98653.2.87.teamsx.zip | Trojanized zip archive delivered to victims |
| File Name | Utility.dll | Malicious DLL used in sideloading chain |
| File Name | User.dat | AES-encrypted shellcode payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.