Legitimate Software Abused: Stealthy ValleyRAT Malware Campaign Targets Enterprise Users

A dangerous new ValleyRAT malware campaign is currently targeting unsuspecting corporate users across the internet. Specifically, threat actors are distributing trojanized software bundles disguised as legitimate enterprise communication tools. According to a recent security report, the infection chain begins on social platforms like X. Consequently, attackers trick visitors into downloading malicious ZIP archives from lookalike web pages.

Fake Microsoft Teams Lures

The threat actors set up convincing download portals to deceive victims. As noted in the documentation: “The websites closely mimic the legitimate Microsoft Teams download page, using lookalike domains to trick users into downloading a trojanized installer packaged as a zip archive.”

Furthermore, running the extracted file launches a stealthy installer based on the Nullsoft Scriptable Install System (NSIS). This installer drops several bad components into the system while simultaneously running a real Teams setup tool. Therefore, the user notices nothing unusual during the routine installation process.

Bypassing Security Controls

The Sideloading Chain

Once inside, the malware leverages a popular application technique to evade detection. The report states: “Our investigation revealed that the delivered payload leverages a DLL sideloading chain via a legitimate executable (GameBox.exe) developed by Tencent, ultimately deploying a ValleyRAT variant.” Indeed, the campaign carefully blends social engineering with advanced defense evasion tactics.

Disabling Windows Defender

Additionally, the payload explicitly modifies local antivirus configurations to shield itself from discovery. It executes distinct PowerShell commands to add clear exclusions for its working directory. As a result, Windows Defender completely ignores the malicious dynamic link library.

Tracking the SilverFox APT

Memory Injection and Logging

After weakening defenses, the loader allocates memory to run an encrypted shellcode payload named user.dat. Subsequently, the malware decrypts this buffer directly in the system memory before executing it via threads. This active ValleyRAT malware campaign also maintains detailed local buffers of stolen information before exfiltration.

Specifically, the software captures keystrokes, tracks clipboard changes, and records active window switches. Based on structural similarities, researchers strongly link this operation to the notorious SilverFox APT group.

Defense Guidelines for Administrators

Network administrators must proactively defend against these advanced post-exploitation capabilities.

• First, monitor your systems for outbound connections attempting to reach the command-and-control server at 103.215.77.17.
• Second, audit your endpoints for unauthorized PowerShell activity modifying Add-MpPreference exclusions.
• Furthermore, block unauthorized service creations matching the _CCGDAT registry entry.
• Finally, educate your workforce to download software exclusively from verified corporate portals instead of third-party links.