False Flag Operations in China
Silver Fox continues to expand its malware activity across China. Therefore, researchers warn that the threat actor is attempting to confuse attribution by imitating a Russian group. The operation uses search-engine manipulation and social engineering to push a fake messaging installer.
The attackers rely on a modified loader for ValleyRAT, also known as Winos 4.0. This loader includes Cyrillic elements that intentionally mislead analysts. However, the malware still aligns with tools previously linked to Chinese cybercrime networks.
SEO Poisoning With Fake Messaging Tools
The campaign uses SEO poisoning to push users toward a fraudulent download page. For example, the page displays a fake installer for a popular communication platform. Once users click the link, they unknowingly retrieve a ZIP file from a cloud storage address.
Inside the archive, a trojanized Setup.exe pretends to install legitimate software. It immediately scans for security programs and adjusts antivirus exclusions. Therefore, the malware creates a safer path for its next components.
Malware Components and Stealth Techniques
The installer places multiple files across different system folders. It writes JSON, XML, and DLL files to support the final payload. Then it loads part of its malicious code into a legitimate Windows process. As a result, the malware avoids drawing attention.
In the final stage, the malware connects to an external command server. It then fetches the main ValleyRAT payload, which grants remote access and data theft abilities. The report states that the attackers aim to gather intelligence and commit fraud for financial gain.
Additional ValleyRAT Delivery Chains
Another report describes a separate ValleyRAT infection path using a trojanized installer for a messaging app. This method triggers a multi-stage chain that uses a vulnerable driver to disable security tools. However, victims still see a normal installer window on their screens.
A second-stage orchestrator deploys more components and sets persistence via scheduled tasks. It alters permissions and loads drivers that help hide its presence. Furthermore, it executes ValleyRAT alongside tools that bypass user-account controls.
Job Seekers Targeted Through Fake Documents
A newer campaign targets job seekers with malicious document files. For example, attackers send ZIP attachments containing a renamed PDF reader. The disguised file sideloads a harmful DLL that opens a decoy document while launching hidden code.
This code downloads a Python script that loads ValleyRAT through .NET reflection. Therefore, the attackers exploit the emotional vulnerability of people looking for work. The report notes that these tactics misuse trusted software to increase victim trust.
How to Prevent These Attacks
Users should verify download sources and avoid software installers delivered through search results or email attachments. They should also enable continuous endpoint monitoring and automated threat detection. These protections can block malicious DLL sideloading, detect abnormal driver activity, and stop remote-access payloads before they gain control.
Sleep well, we got you covered.
