Hackers have been caught running a deceptive campaign that uses fake Microsoft Teams download websites to trick users into installing ValleyRAT, a remote access trojan capable of stealing data, logging keystrokes, and taking remote control of infected machines.
The campaign, which first surfaced in mid-April 2026, targets unsuspecting users who believe they are downloading the legitimate collaboration software.
The threat actors built lookalike websites that closely imitate the official Microsoft Teams download page. These fraudulent sites were shared openly on the X platform, giving the campaign a wide initial reach.
Visitors are presented with what appears to be a genuine download button, leading them to retrieve a zip archive that contains a weaponized installer.
Researchers at K7 Security Labs, who identified and analyzed this campaign, found that the delivered payload leverages a DLL sideloading chain through a legitimate Tencent executable known as GameBox.exe.
The analysis uncovered Chinese language artifacts embedded within the fake sites and supporting log data, strongly suggesting the threat activity originates from China.
The researchers also linked the campaign to the SilverFox APT group. What makes this campaign especially dangerous is how well it masks its true intent.
Once the installer runs, it quietly drops malicious components in the background while simultaneously installing a real copy of Microsoft Teams on the victim’s device, even placing a desktop shortcut to avoid raising any alarms.
Killchain (Source – K7 Security Labs)
The victim walks away thinking they just installed a legitimate app, with no idea that a fully operational trojan is now running on their system.
K7 Security Labs said in a report shared with Cyber Security News that this campaign reflects a well-structured intrusion chain combining social engineering with advanced post-exploitation capabilities, making it particularly effective against unsuspecting users.
Fake Microsoft Teams Downloads
The infection chain begins the moment a user visits one of the fraudulent domains, such as teams-securecall[.]com and teamszs[.]com.
Upon downloading and extracting the zip file, the victim unknowingly triggers a malicious NSIS-based installer.
Dropped Files (Source – K7 Security Labs)
Instead of simply installing software, this installer silently drops a loader, a malicious DLL called utility.dll, and several supporting files across the system.
To stay hidden, the malware runs PowerShell commands that modify Windows Defender settings, adding exclusions for both its working folder and the malicious DLL file.
It also hides its copied files using system-level attribute changes, making them invisible during casual inspection. A service named _CCGDAT is then created to ensure the malware restarts automatically every time the system boots.
The core payload, a file called user.dat, is stored in an AES-encrypted form and decrypted entirely in memory at runtime, never touching the disk in its final form.
The malware then uses shellcode injection to load ValleyRAT directly into the current running process, and employs API hashing to resolve Windows functions dynamically, making it harder for security tools to detect what it is doing.
ValleyRAT’s Spying Capabilities and Network Activity
Once active, ValleyRAT monitors the clipboard in real time using a Windows API call, targeting sensitive data such as copied passwords, cryptocurrency wallet addresses, and other private information.
It also logs keystrokes and stores that collected data locally before sending it back to the attacker’s command and control server.
The third-stage payload is fetched live from the C2 server in an XOR-encrypted format and decrypted in memory.
Since this payload is pulled dynamically, the threat actor can swap it out at any time, giving them flexibility to shift tactics or deploy entirely different tools.
Log file contents (Source – K7 Security Labs)
This design also means the attack remains effective even if individual components are flagged and blocked.
To protect against this type of threat, users should always download software directly from official vendor websites and avoid links shared on social media.
Organizations should enforce application allowlisting, monitor for unexpected PowerShell activity, and keep endpoint detection tools updated to catch behavioral threats.
Verifying the digital signature of any installer before running it can also help prevent trojanized packages from executing.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionFile Hash (MD5)709604CE58E3F8255587AC9253DB699498653.2.87.teamsx.zip — Trojan (006ddd9e1)File Hash (MD5)18F3E85D7237E3CAC0AD13BDCF513F0FUtility.dll — Trojan (006ddd9e1)File Hash (MD5)8F9DE887E9AED9D580F386BA2D191319User.dat — Trojan (0001140e1)Domainteams-securecall[.]comFake Microsoft Teams distribution siteDomainteamszs[.]comFake Microsoft Teams distribution siteIP Address103[.]215[.]77[.]17ValleyRAT Command and Control (C2) serverFile Name98653.2.87.teamsx.zipTrojanized zip archive delivered to victimsFile NameUtility.dllMalicious DLL used in sideloading chainFile NameUser.datAES-encrypted shellcode payload
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware appeared first on Cyber Security News.
