This threat involves a targeted campaign by the Silver Fox advanced persistent threat (APT) group that impersonates Huorong Security, a popular Chinese antivirus product, by creating a convincing fake website hosted on typosquatted domains. The attackers trick users into downloading a malicious installer that deploys ValleyRAT, a Remote Access Trojan (RAT) known for its advanced stealth and control capabilities. The malware uses DLL sideloading, a technique where a legitimate Windows binary is tricked into loading a malicious DLL, to evade detection and execute its payload. Once installed, ValleyRAT disables Windows Defender to avoid removal, establishes persistence through scheduled tasks, and employs various evasion tactics such as obfuscation and anti-analysis techniques. The RAT provides attackers with extensive system control, including keylogging to capture user input, process injection to hide malicious activity within legitimate processes, and credential theft to harvest sensitive authentication data. The campaign mainly targets Chinese-language Windows 10 systems, leveraging the trust users place in Huorong Security. However, the recent public leak of the ValleyRAT builder increases the risk of the malware being adopted by other threat actors globally. Indicators of compromise include a set of malicious file hashes, multiple typosquatted domains mimicking Huorong Security’s legitimate domains, and an IP address associated with command and control infrastructure. Although no CVEs or known exploits in the wild are currently linked to this campaign, the sophistication and stealth of the malware make it a significant threat. The campaign highlights the risks of typosquatting and supply chain attacks in the cybersecurity landscape.

The impact of this campaign is significant for organizations using or trusting Huorong Security or those operating in Chinese-language environments. Successful infection results in full system compromise, allowing attackers to steal credentials, monitor user activity via keylogging, and maintain long-term persistence. This can lead to data breaches, espionage, intellectual property theft, and potential lateral movement within networks. Disabling Windows Defender reduces the likelihood of detection and remediation, increasing dwell time and damage potential. The use of DLL sideloading complicates detection by traditional antivirus solutions. The public leak of the ValleyRAT builder raises the risk of this malware spreading beyond the initial target group, potentially affecting organizations worldwide. This threat is particularly concerning for government agencies, critical infrastructure, and enterprises with sensitive data in China and regions with Chinese-speaking populations. The campaign also underscores the danger of typosquatting as an attack vector, which can be exploited against other trusted brands and products.

Organizations should implement multi-layered defenses including: 1) Educate users to verify URLs carefully and avoid downloading software from unofficial or suspicious websites, especially typosquatted domains. 2) Employ DNS filtering and domain reputation services to block access to known malicious and typosquatted domains listed in the indicators. 3) Use endpoint detection and response (EDR) solutions capable of detecting DLL sideloading and suspicious scheduled tasks. 4) Harden Windows Defender and other security tools to prevent unauthorized disabling, and monitor for changes to security configurations. 5) Regularly audit scheduled tasks and startup items for unauthorized persistence mechanisms. 6) Deploy credential protection mechanisms such as multi-factor authentication and monitor for unusual authentication activity. 7) Maintain up-to-date threat intelligence feeds to detect and respond to indicators of compromise promptly. 8) Conduct regular penetration testing and red team exercises to evaluate defenses against similar APT tactics. 9) Isolate and segment networks to limit lateral movement if compromise occurs. 10) Monitor network traffic for connections to known malicious IP addresses and domains associated with this campaign. These targeted measures go beyond generic advice by focusing on the specific tactics, techniques, and procedures (TTPs) used by this threat.