Operation Silk Lure: Chinese Espionage Targets FinTech with Malicious Resume LNK to Implant ValleyRAT

Researchers at Seqrite Labs have uncovered a highly targeted cyber-espionage campaign, dubbed Operation Silk Lure, that leverages malicious resume decoys and scheduled task persistence to infiltrate Chinese organizations in the FinTech and cryptocurrency sectors.

According to Seqrite, the threat actors behind this campaign are using Command and Control (C2) infrastructure hosted in the United States to deliver multi-stage payloads capable of reconnaissance, credential theft, and data exfiltration.

The campaign employs sophisticated spear-phishing techniques, with attackers posing as job applicants sending malicious .LNK (Windows shortcut) files disguised as resumes to HR and recruitment teams.

“The adversaries craft highly targeted emails impersonating job seekers and send them to HR departments and technical hiring teams within Chinese firms,” Seqrite explained.

“These emails often contain malicious .LNK files embedded within seemingly legitimate resumes or portfolio documents. When executed, these .LNK files act as droppers, initiating the execution of payloads that facilitate initial compromise.”

The decoy resume — written entirely in Simplified Chinese — impersonates Li Hanbing (李汉兵), a senior backend/blockchain full-stack engineer with an impressive background in DeFi and trading systems development.

“The resume lists a bachelor’s degree from South China Agricultural University, work history in Guangdong province, and numerous crypto/DeFi projects,” Seqrite noted. The CV’s credibility and localization make it highly believable to Chinese users, increasing the likelihood of successful social engineering.

Upon execution, the malicious LNK launches a PowerShell command exceeding 260 characters, initiating the download of additional files from the attacker’s infrastructure.

“During initial analysis of the downloaded shortcut 李汉彬.lnk, we observed more than 260-character sequences consistent with a PowerShell command-line payload,” Seqrite stated.

The PowerShell script retrieves several components, including:

• A decoy resumé PDF
• keytool.exe (malicious loader)
• CreateHiddenTask.vbs (VBScript for persistence)
• jli.dll (malicious DLL loader)

Seqrite confirmed that the malware establishes persistence by deploying a scheduled task named “Security,” disguised as a Microsoft-authorized process.

“The VBScript instantiates COM objects, connects to the Task Scheduler, and programmatically creates a daily scheduled task named ‘Security’ whose action executes keytool.exe,” the researchers revealed. “It sets the task’s Author to ‘Microsoft Corporation’ and deletes the VBScript file itself to reduce forensic traces.”

This ensures that the malicious payload executes automatically every day at 8:00 AM, maintaining long-term persistence within compromised systems.

The keytool.exe binary acts as a loader that dynamically invokes export functions from jli.dll to decrypt and execute shellcode hidden within itself.

“Upon analyzing keytool.exe, we found that it calls different export functions of jli.dll such as JLI_CmdToArgs and JLI_GetStdArgs,” Seqrite reported.

Further analysis revealed that jli.dll functions as a self-decrypting loader that locates a specific 8-byte marker (1C 3B 7E FF 1C 3B 7E FF) within keytool.exe, extracts the data following it, and decrypts it using an RC4 key ‘123cba’.

“Once the shellcode is decrypted (at runtime, in memory), it reveals its built-in command-and-control (C2) server address: 206.119.175.16,” Seqrite wrote.

The decrypted shellcode then injects the next-stage payload into memory — an evolved version of ValleyRAT, a remote access Trojan previously linked to East Asian espionage groups.

Seqrite’s analysis confirms that the final payload conducts system fingerprinting, keylogging, and data exfiltration while using anti-VM and anti-antivirus routines to evade detection.

“ValleyRAT collects CPU info, username, screen resolution, uptime, NIC details, locale, and registry values,” the report details. “It leverages COM/WMI to query ROOT\SecurityCenter2 for AntiVirusProduct and then uninstalls detected AV software. It also terminates network connections belonging to 360Safe, Kingsoft, and Huorong by setting the state to DELETE_TCB.”

The malware executes numerous commands to manage infected hosts, including plugin installation, screenshot capture, clipboard monitoring, and self-uninstallation when directed by its operators.

“The variant is designed to capture visual user activity, deliver and install plugins, and exfiltrate information through structured commands such as ScreenshotConfig, KeyloggerControl, and ClipboardConfig,” Seqrite confirmed.

Seqrite’s infrastructure analysis linked the operation’s backend servers to SonderCloud Limited, a Hong Kong-based hosting provider previously associated with cybercrime operations.

Related Posts:

• Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
• ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
• LockBit Ransomware: The Hidden Threat in Resume Word Files
• Silver Fox APT Exploits Microsoft-Signed Driver to Deploy ValleyRAT Backdoor