Fake Huorong security site infects users with ValleyRAT
A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.
Indicators of Compromise
- hash: 0b98bd6bf1956a04d626bf45c8a8f24f
- hash: 451b464b7a6c2ced348c1866b59c362e
- hash: 5e1cfc48a6cbbf6d83ff20100ab244f2
- hash: b7ce0512b9744e2db68f993e355a03f9
- hash: b9fe6992d2a988280e498e44ca48a38c
- hash: faab2a5ab3bf288543a8369bed59e138
- hash: 443961c178a5990eb5d0d8f17e087f46a0ec1cc1
- hash: 4d33a107a39071d5f3dfb0d5e6665920eea1ecf0
- hash: 9d9427ac7b06cf3337a6812edea917dc91c65f6e
- hash: af1b3d44d97e6005e1708700e4d78f6c807a9815
- hash: 07aaaa2d3f2e52849906ec0073b61e451e0025ef2523dafbd6ae85ddfa587b4d
- hash: 47df12b0b01ddca9eb116127bf84f63eb31e80cec33e4e6042dff1447de8f45f
- hash: 66e324ea04c4abbad6db4f638b07e2e560613e481ff588e0148e33e23a5052a9
- hash: 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4
- hash: d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2
- hash: db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e
- ip: 161.248.87.250
- domain: hndqiuebgibuiwqdhr.cyou
- domain: huoronga.com
- domain: huorongcn.com
- domain: huorongh.com
- domain: huorongpc.com
- domain: huorongs.com
- domain: yandibaiji0203.com
Fake Huorong security site infects users with ValleyRAT
Description
A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securityboulevard.com/2026/02/fake-huorong-security-site-infects-users-with-valleyrat/"]
- Adversary
- Silver Fox
- Pulse Id
- 699c6b8685a6526f07db3c61
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0b98bd6bf1956a04d626bf45c8a8f24f | — | |
hash451b464b7a6c2ced348c1866b59c362e | — | |
hash5e1cfc48a6cbbf6d83ff20100ab244f2 | — | |
hashb7ce0512b9744e2db68f993e355a03f9 | — | |
hashb9fe6992d2a988280e498e44ca48a38c | — | |
hashfaab2a5ab3bf288543a8369bed59e138 | — | |
hash443961c178a5990eb5d0d8f17e087f46a0ec1cc1 | — | |
hash4d33a107a39071d5f3dfb0d5e6665920eea1ecf0 | — | |
hash9d9427ac7b06cf3337a6812edea917dc91c65f6e | — | |
hashaf1b3d44d97e6005e1708700e4d78f6c807a9815 | — | |
hash07aaaa2d3f2e52849906ec0073b61e451e0025ef2523dafbd6ae85ddfa587b4d | — | |
hash47df12b0b01ddca9eb116127bf84f63eb31e80cec33e4e6042dff1447de8f45f | — | |
hash66e324ea04c4abbad6db4f638b07e2e560613e481ff588e0148e33e23a5052a9 | — | |
hash72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4 | — | |
hashd0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2 | — | |
hashdb8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip161.248.87.250 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainhndqiuebgibuiwqdhr.cyou | — | |
domainhuoronga.com | — | |
domainhuorongcn.com | — | |
domainhuorongh.com | — | |
domainhuorongpc.com | — | |
domainhuorongs.com | — | |
domainyandibaiji0203.com | — |
Threat ID: 699cdc61be58cf853bd5eac3
Added to database: 2/23/2026, 11:01:53 PM
Last updated: 2/23/2026, 11:01:54 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains
MediumOperation Olalampo: Inside MuddyWater's Latest Campaign
MediumChronology of MuddyWater APT Attacks Targeting the Middle East
MediumMassive Winos 4.0 Campaigns Target Taiwan
MediumMIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.