Cybersecurity experts spotted a series of cyberattacks that have specifically targeted Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China. The attacks involve a multi-stage infection chain that delivers the ValleyRAT malware through a loader called PNGPlug.
ValleyRAT, a Remote Access Trojan (RAT) that has been observed in the wild since 2023, gives attackers unauthorized control over infected machines. Recent versions of the malware feature capabilities such as capturing screenshots and clearing Windows event logs, making it a highly effective tool for espionage and data exfiltration.
The infection process, according to a technical report published by Intezer, begins with a phishing page designed to trick victims into downloading a malicious Microsoft Installer (MSI) package, disguised as legitimate software. Once executed, the MSI installer extracts an encrypted archive containing the malicious payload. This includes running a malicious DLL that decrypts the archive using the hardcoded password 'hello202411' to extract the core malware components.
These components include a rogue Dynamic Link Library (DLL) file named "libcef.dll", a legitimate application ("down.exe") used to obscure malicious activities, and two payload files masquerading as PNG image files, "aut.png" and "view.png."
The PNGPlug loader's primary function is to prepare the system for executing the main malware by loading "aut.png" and "view.png" into memory. These files make changes to the Windows Registry to ensure the malware persists and executes ValleyRAT.
Researchers have linked the ongoing attacks to a threat group known as Silver Fox, which has shown tactical overlap with another group, Void Arachne. Both groups are using a command-and-control (C&C) framework called Winos 4.0. Notably, this campaign is distinct for its targeting of Chinese-speaking populations and its reliance on software-related lures to initiate the attack chain.