Sophisticated malware campaign is targeting Chinese-speaking regions

Sophisticated malware campaign is targeting Chinese-speaking regions

Cybersecurity experts spotted a series of cyberattacks that have specifically targeted Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China. The attacks involve a multi-stage infection chain that delivers the ValleyRAT malware through a loader called PNGPlug.

ValleyRAT, a Remote Access Trojan (RAT) that has been observed in the wild since 2023, gives attackers unauthorized control over infected machines. Recent versions of the malware feature capabilities such as capturing screenshots and clearing Windows event logs, making it a highly effective tool for espionage and data exfiltration.

The infection process, according to a technical report published by Intezer, begins with a phishing page designed to trick victims into downloading a malicious Microsoft Installer (MSI) package, disguised as legitimate software. Once executed, the MSI installer extracts an encrypted archive containing the malicious payload. This includes running a malicious DLL that decrypts the archive using the hardcoded password 'hello202411' to extract the core malware components.

These components include a rogue Dynamic Link Library (DLL) file named "libcef.dll", a legitimate application ("down.exe") used to obscure malicious activities, and two payload files masquerading as PNG image files, "aut.png" and "view.png."

The PNGPlug loader's primary function is to prepare the system for executing the main malware by loading "aut.png" and "view.png" into memory. These files make changes to the Windows Registry to ensure the malware persists and executes ValleyRAT.

Researchers have linked the ongoing attacks to a threat group known as Silver Fox, which has shown tactical overlap with another group, Void Arachne. Both groups are using a command-and-control (C&C) framework called Winos 4.0. Notably, this campaign is distinct for its targeting of Chinese-speaking populations and its reliance on software-related lures to initiate the attack chain.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025