Listen to this Post

Introduction:
The trusted Microsoft Teams brand is being weaponized in a sophisticated new cyber campaign distributing ValleyRAT, a modular remote-access trojan. Attackers employ fraudulent domains, DLL sideloading via legitimate Tencent software, and multi-stage in-memory execution to bypass traditional security defenses and maintain persistent access.
Learning Objectives:
- Detect and block fraudulent Microsoft Teams lookalike domains and NSIS-based trojanized installers
- Analyze the complete ValleyRAT infection chain, from initial download to final payload decryption
- Implement hands-on detection rules and mitigation strategies for DLL sideloading attacks and PowerShell-based defense tampering
You Should Know:
- Full Infection Chain of the ValleyRAT Microsoft Teams Impersonation Campaign
This campaign begins when a user visits a fraudulent domain like `teams-securecall[.]com` or teamszs[.]com, which perfectly clones the official Microsoft Teams download page. Victims are tricked into downloading a ZIP archive (e.g., 98653.2.87.teamsx.zip, 571.0.2.6.8.97teamsxb.zip). The malicious NSIS-based installer (98653.2.87.teamsx.exe) within this archive executes a multi-stage infection while simultaneously installing the legitimate Teams software to maintain a deceptive appearance.
- Stage 1 – Defense Tampering: The malware runs PowerShell commands to disable Windows Defender by adding exclusions for its working directory and malicious DLL. To protect your environment, security teams can audit Windows Defender exclusions with the following command:
Step‑by‑Step Guide to Audit Defender Exclusions:
Audit existing Windows Defender exclusions for suspicious paths Get-MpPreference | Select-Object -ExpandProperty ExclusionPath Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess Remove suspicious exclusions Remove-MpPreference -ExclusionPath "C:\ProgramData\client" -ErrorAction SilentlyContinue Remove-MpPreference -ExclusionProcess "Utility.dll" -ErrorAction SilentlyContinue
- Stage 2 – DLL Sideloading: After disabling defenses, the malware deploys a legitimate Tencent binary,
GameBox.exe, abusing it to side-load a maliciousUtility.dll. The trojan dropper also calls `SetFileAttributes` with a value of7, making the malicious folder hidden. -
Stage 3 – Persistence & Payload Decryption: `Utility.dll` creates a service named `_CCGDAT` configured to auto-start at boot. The final payload (
user.dat) is AES-encrypted and only decrypted in memory, bypassing disk-based scanners. The final ValleyRAT connects to a C2 server (observed atydbao4.cyou:9000) and provides full remote control capabilities.
2. Multi-Stage Defense Evasion and Bypass Tactics
The Silver Fox APT group has architected ValleyRAT with overlapping evasive techniques that systematically dismantle security controls. Understanding these tactics is essential for building effective detection.
- Bring Your Own Vulnerable Driver (BYOVD): The malware deploys a legitimate but vulnerable driver signed by a trusted vendor. This driver abuses kernel access to disable endpoint detection and response (EDR) tools.
-
PowerShell-Based Tampering: The malware uses encoded PowerShell commands to bypass script logging. The following example simulates how a malicious actor might attempt to add an exclusion, which can be used to detect similar behavior:
Malicious commands observed in the wild: powershell -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\client'" powershell -Command "Add-MpPreference -ExclusionProcess 'Utility.dll'"
- API Hashing: Instead of storing readable Windows API names, the malware resolves needed functions by dynamically computing hashes of API names.
-
Geofencing: The malware checks the system’s country code in the registry, likely to avoid activating on systems located in regions it does not target.
3. Registry Modifications and Forensic Analysis
ValleyRAT persistently stores its configuration in the Windows registry, providing valuable forensic artifacts for hunters. The malware uses multiple registry keys to store C2 server information and maintain persistence.
Critical Registry Keys to Monitor:
Audit for ValleyRAT registry modifications Get-ItemProperty -Path "HKCU:\SOFTWARE\IpDates_info" -ErrorAction SilentlyContinue Get-ItemProperty -Path "HKCU:\Console\0\451b464b7a6c2ced348c1866b59c362e" -ErrorAction SilentlyContinue Monitor for .pwn file association creation (ValleyRAT TTP) reg query HKCR.pwn
The malware is also known to create or alter registry entries to associate `.pwn` files with malicious processes. Security teams can deploy the following Splunk query to detect these modifications:
index=windows RegistryPath=\Software\IpDates_info OR RegistryPath=\Console\451b464b | table _time, host, RegistryPath, RegistryValueData
4. Hands-On Detection Engineering and Network Hardening
To proactively detect and block this threat, security teams must implement multiple defensive layers.
Network Blocking:
Add malicious domains to DNS blocklist echo "0.0.0.0 teams-securecall.com" >> /etc/hosts echo "0.0.0.0 teamszs.com" >> /etc/hosts echo "0.0.0.0 ydbao4.cyou" >> /etc/hosts Block outbound C2 communication with iptables iptables -A OUTPUT -d teams-securecall.com -j DROP
Windows Firewall Rules:
Block known malicious IPs and domains New-NetFirewallRule -DisplayName "Block ValleyRAT Domain" -Direction Outbound -RemoteAddress "teams-securecall.com","teamszs.com" -Action Block
Sysmon Configuration for DLL Sideloading Detection: Monitor for trusted signed binaries loading unsigned or unusual DLLs, particularly from non-standard paths like C:\ProgramData\. Implement custom detection rules for child processes of `GameBox.exe` and PowerShell commands containing Add-MpPreference.
5. ValleyRAT Payload Analysis and Memory Forensics
Because ValleyRAT executes its final payload in memory without writing a malicious binary to disk, memory forensics is critical for detection.
Detecting In-Memory Payloads:
Use Volatility3 to dump suspicious process memory vol3 -f memory.dump windows.malfind.Malfind Extract PowerShell command line arguments from memory vol3 -f memory.dump windows.cmdline.CmdLine
The malware uses reflective loading techniques to inject shellcode directly into active processes. Use the following PowerShell snippet to detect anomalous memory protection flags:
Get-Process | ForEach-Object {
$<em>.Modules | Where-Object {
$</em>.ModuleName -eq "Utility.dll" -and
$_.FileName -notlike "Windows"
}
}
What Undercode Say:
- Key Takeaway 1 – The Silver Fox APT is shifting toward hybrid social engineering: By combining lookalike web domains, dual-layer legitimacy with real Teams software, and advanced in-memory evasion, attackers have reduced reliance on zero-days, instead weaponizing user trust in familiar brands.
- Key Takeaway 2 – Traditional endpoint security is failing against ValleyRAT: The malware’s chain of DLL sideloading, PowerShell-driven defense tampering, and AES-encrypted shellcode decrypted only in memory demonstrates the urgent need for behavior-based detection, memory forensics, and proactive hunting for living-off-the-land binaries (LOLBins). Organizations must immediately audit their Windows Defender exclusions, monitor for legitimate binaries loading unsigned DLLs, and restrict PowerShell execution policies.
Prediction:
The ValleyRAT campaign signals a broader evolution in APT tradecraft: attackers will increasingly converge social engineering, legitimate software ecosystems, and living-off-the-land techniques to bypass defenses without burning zero-day exploits. Expect “brandjacking” of other popular communication platforms like Zoom, Slack, and Google Meet in future waves. Short-term, the Silver Fox group will likely deploy updated variants with even more aggressive anti-debugging and geofencing, while long-term, security vendors will be forced to shift from static detection to real-time behavior analysis and kernel-level telemetry to counter in-memory-only threats. Organizations that fail to adopt memory forensics and strict application whitelisting will remain highly vulnerable.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


