Attackers use deceptive Chrome installer sites, distributing ZIP archives containing malicious executables that serve as a launchpad for ValleyRAT. The campaign also leverages drive-by download schemes, tricking users into believing they are downloading legitimate software, thereby exposing them to malware infections.

ValleyRAT is often distributed alongside other malware families, including Purple Fox and Gh0st RAT, with the latter being widely used by Chinese hacking groups. A notable aspect of the attack chain is the use of a DLL loader named PNGPlug, which helps deliver the malware. Attackers exploit DLL sideloading techniques, utilizing a legitimate executable associated with Douyin (the Chinese version of TikTok) to sideload a malicious DLL and launch ValleyRAT. Additionally, another DLL file, "sscronet.dll," is deployed to terminate processes listed in an exclusion list, likely to evade detection and hinder security defenses.

ValleyRAT, written in C++ and compiled in Chinese, possesses several capabilities, including screen monitoring, keystroke logging, and maintaining persistence on the infected host. It communicates with a remote command-and-control server to execute further malicious commands, such as process enumeration, arbitrary DLL injections, and binary execution. The attack leverages DLL search order hijacking, a technique where attackers exploit vulnerable signed executables to inject payloads stealthily. Researchers have drawn connections between this campaign and previous ones distributing Gh0st RAT via malicious Chrome installers, suggesting a coordinated effort to compromise users through fake software download sites.

The discovery of ValleyRAT's campaign coincides with other evolving cyber threats, such as phishing attacks using Scalable Vector Graphics (SVG) attachments to evade detection and deliver AutoIt-based keyloggers like Nymeria or credential-harvesting payloads. These sophisticated tactics highlight the growing use of legitimate-looking but malicious files to bypass security measures. Organizations must remain vigilant against deceptive software downloads, phishing schemes, and abuse of trusted software vulnerabilities to prevent unauthorized access and data breaches.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Financial Loss

Indicators of Compromise

Domain Name

• anizom.com

• karlost.club

IP

• 8.217.244.40
• 154.82.85.79
• 118.107.44.219
• 43.250.172.42
• 103.183.3.10

MD5

• b74ffda9356d1ee703286dfad116cb04

• cfb539cb3a6cb0409d3bb289ba151c51

• ed84de62c3753c95a411dd6618c7d2cf

• 67cf66031c6c1781bf99dc9427be079f

• 5e15d0917b739678738cfe5869c11376

SHA-256

• 53a6735ce1eca68908c0367152a1f8f3ca62b801788cd104f53d037811284d71

• 6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c

• 311f2d4ef2598e4a193609c3cd47bf4ff5fb88907026946ecffe6b960d43d5b2

• bb89e401560ba763d1c5860dd51667ba17768c04d00270bf34abebac47fd040e

• 1db77692eaf4777f69ddf78c52424d81834572f1539ccea263d86a46f28e0cea

SHA1

• 672fc276661bde3a5c85f236ec2a516eb7da012a

• cfe92942da955d37844c81870aa705fcc1122b24

• 30ca9b3f67002cbb30a6fcbb63ee7c30e2bf53de

• 72a28db19c993fedaabe9426ee10d5cabdede977

• 55745d45241a9a4287aeee585cb584731f093492

URL

• https://anizom.com
• https://karlost.club

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Download software only from official sources (e.g., Google’s official website, not third-party links).
• Verify website URLs before downloading software to avoid fake pages.
• Use security software that can detect malware and block malicious sites.
• Enable automatic updates for your operating system and security tools.
• Avoid clicking on suspicious links in emails, messages, or search engine ads.
• Check file properties before running downloads (e.g., unexpected file names like "Setup.exe" from unknown sites).
• Implement security awareness training to educate employees about phishing and fake software.
• Use endpoint protection solutions that monitor and block suspicious activities.
• Apply application whitelisting to prevent unauthorized software from running.
• Monitor network traffic for unusual activity, such as connections to unknown servers.
• Enforce least privilege access to limit the impact if an employee’s system is compromised.
• Regularly back up critical data and store backups in a secure, offline location.
• Deploy email security tools to detect and block phishing attempts using SVG files or other hidden malware.