Search Deception: How Chinese Hackers Are Hijacking Google to Spread Fake Microsoft Teams Malware

Picture this: A Chinese-speaking employee at an international firm needs Microsoft Teams. They Google “Teams download” - but the top result isn’t what it seems. With a single click, they’ve unleashed a stealthy espionage tool on their corporate network. Behind the scenes, a shadowy threat group known as Silver Fox is orchestrating this high-stakes deception, using clever search engine manipulation and linguistic misdirection to stay one step ahead of investigators.

Behind the Search: How the Attack Works

Silver Fox is not new to the world of digital deception. The group has previously weaponized search engine optimization (SEO) to spread trojanized versions of popular apps like Telegram and Chrome. Their latest scheme? Impersonating Microsoft Teams via a convincing knockoff site - teamscn[.]com - designed to fool Chinese-speaking users. The site, registered in March 2025, mimics Microsoft branding and lures victims with promises of legitimate downloads.

But the real danger begins after the download. The installer, disguised as “MSTчamsSetup.zip” (notice the sneaky Cyrillic character), contains a malicious executable. Once launched, the malware immediately checks for the presence of Qihoo 360 Total Security - a popular Chinese antivirus - suggesting the attackers have deep knowledge of their targets’ defenses.

To slip past security, the malware disables Windows Defender by adding broad exclusion rules for multiple drives. It then sideloads a malicious DLL into the legitimate rundll32.exe Windows process, using a technique called Binary Proxy Execution to mask its activity. The infected machine quietly connects to a command-and-control server (Ntpckj[.]com), awaiting further instructions while remaining invisible to most security tools.

Smoke and Mirrors: False Flags and Attribution

Silver Fox goes the extra mile to muddy the waters. The installer and parts of the user interface are laced with Russian language and Cyrillic script - deliberate misdirection to throw off investigators. However, forensic analysis of the infrastructure, code reuse, and targeting patterns point squarely back to China.

Who’s at Risk - and How to Fight Back

Organizations with Chinese-speaking staff, especially those with operations in China, are squarely in the crosshairs. Experts urge companies to enable detailed PowerShell and process logging, restrict software installations to trusted catalogs, and monitor for suspicious network activity - especially connections to known malicious domains.

For multinational firms, the lesson is clear: Security strategies must be tailored to local threats and languages. Silver Fox’s campaign is a stark reminder that the world’s most dangerous hackers are now optimizing for search engines - and for their victims’ native tongues.

WIKICROOK: Glossary

SEO Poisoning

The manipulation of search engine rankings to promote malicious or fraudulent websites, making them appear legitimate to unsuspecting users.

Typosquatting

The practice of registering deceptive domain names that mimic legitimate brands, often by swapping or adding characters, to trick users.

Binary Proxy Execution

A technique where malware runs under the guise of a trusted Windows process (like rundll32.exe) to evade detection by security tools.

ValleyRAT

A remote access trojan (RAT) used to take control of infected systems, steal data, and execute further malicious activities.

Command-and-Control (C2) Server

A remote server used by attackers to communicate with and control malware deployed on victim machines.