Cybercriminals Abuse Microsoft Teams Brand To Spread ValleyRAT

The report describes a sophisticated, active campaign that uses fake Microsoft Teams download pages to deliver ValleyRAT. The installer drops a trojanized payload and a legitimate Teams installer to avoid suspicion, performs DLL sideloading (using GameBox.exe to load Utility.dll), disables Windows Defender exclusions via PowerShell, decrypts payloads in-memory, resolves APIs via hashing, and contacts C2 to fetch an XOR-encrypted ValleyRAT module that steals clipboard data. The write-up includes attribution to a China-linked APT (SilverFox) and provides file-based IoCs (file names and MD5 hashes).