Operation Silk Lure is a targeted cyber campaign focusing on Chinese professionals in the FinTech and cryptocurrency sectors, leveraging social engineering via spear-phishing emails with malicious .LNK files disguised as resumes. When a victim opens the .LNK file, it initiates a multi-stage infection chain that ultimately deploys ValleyRAT, a remote access trojan known for data exfiltration and persistence capabilities. The attackers weaponize Windows Scheduled Tasks to maintain persistence, exploiting DLL side-loading—a technique where a legitimate executable loads a malicious DLL placed in its directory, bypassing security controls. This method allows the malware to evade detection and maintain stealth. The malware conducts system reconnaissance to gather information about the infected host and network environment, then exfiltrates sensitive data back to attacker-controlled infrastructure hosted mainly in Hong Kong. The attackers use multiple .work domains mimicking legitimate job portals to lure victims and employ anti-virtual machine (VM) checks and attempts to disable antivirus software to avoid detection. Indicators of compromise include specific IP addresses and file hashes linked to the malware and infrastructure. While the campaign currently targets Chinese individuals, the techniques and malware used could be adapted or inadvertently impact other regions, especially organizations with similar operational profiles or those interacting with Chinese entities.

For European organizations, the direct impact of Operation Silk Lure is currently limited due to its targeting of Chinese individuals in specific sectors. However, European FinTech and cryptocurrency firms with business ties to China or employing Chinese nationals could be at risk. If the campaign expands or variants emerge, the use of DLL side-loading and scheduled tasks for persistence could allow attackers to maintain long-term access, leading to data breaches, intellectual property theft, and disruption of critical financial operations. The malware’s capability to disable antivirus and evade VM detection increases the risk of prolonged undetected compromise. Exfiltration of sensitive financial and personal data could result in regulatory penalties under GDPR, reputational damage, and financial losses. Additionally, the use of spear-phishing with social engineering tactics highlights the risk to employees who may be targeted with convincing fake job offers or resumes, potentially leading to broader infection within European organizations.

European organizations, especially those in FinTech and cryptocurrency sectors, should implement targeted defenses against spear-phishing, including advanced email filtering and user awareness training focused on identifying malicious attachments like .LNK files. Endpoint detection and response (EDR) solutions should be configured to monitor and alert on suspicious scheduled task creation and DLL side-loading behaviors. Application whitelisting can prevent unauthorized DLLs from loading. Regular audits of scheduled tasks and system DLLs should be conducted to detect anomalies. Network monitoring should include detection of communications to suspicious domains, particularly those using uncommon TLDs like .work, and known malicious IP addresses associated with this campaign. Employing sandboxing technologies that can bypass anti-VM checks will improve detection of such malware. Additionally, restricting execution of shortcut files from email attachments and disabling unnecessary scheduled tasks can reduce attack surface. Incident response plans should include procedures for rapid containment and forensic analysis if infection is suspected. Collaboration with threat intelligence sharing groups can provide timely updates on emerging indicators and tactics.