Stealth Injection: Silver Fox APT Upgrades “ValleyRat” with Rare PoolParty Tech
Ddos 
A new wave of malware disguised as popular software installers is sweeping through the Chinese-speaking community, deploying advanced techniques rarely seen in the wild. In a new threat analysis, Cybereason Security Services details a campaign where a fake installer for the messaging app LINE is being used to deliver the ValleyRat malware (also known as Winos 4.0), a remote access trojan linked to the notorious Silver Fox APT.
What makes this campaign stand out is not just its disguise, but its sophistication. The attackers have integrated a rare process injection technique known as “PoolParty Variant 7” to evade detection, signaling a significant evolution in their tradecraft.
The most striking finding in the report is the use of an obscure injection method. While most malware uses standard tricks to hide its code inside legitimate processes, this sample takes a road less traveled.
“The sample we analyzed uses a process-injection technique called PoolParty Variant 7, which is not common,” the report states.
This technique involves manipulating the Windows I/O Completion Ports to force legitimate processes to execute malicious code. Specifically, the malware duplicates a handle from the Explorer.exe process and uses the ZwSetIoCompletion() API to trigger the execution. By hiding within a trusted system process like Explorer, the malware can bypass many security products that don’t monitor this specific vector.
The attackers have built robust mechanisms to ensure their malware stays alive. The investigation revealed a complex “watchdog” system designed to restart the infection if it is interrupted.
“The sample we analyzed implements the watchdog by injecting code into Explorer.exe and UserAccountBroker.exe,” the researchers explain.
This represents a major upgrade from previous versions of the malware, which simply used a batch file to check for the process every 15 seconds. By injecting code directly into these core Windows processes, the watchdog becomes nearly invisible and much harder to remove.
The malware is also highly aware of its environment. It actively scans for and attempts to disable Chinese security software, specifically products from Qihoo 360.
The report notes that the malware searches for processes like “360tray.exe” and “ZhuDongFangYu.exe” . If found, it doesn’t just hide; it attacks. The malware attempts to “remove TCP connections related to the processes,” effectively cutting off the security software from its cloud servers and rendering it blind.
While the exact identity of the attackers is often hard to pin down, the evidence points to a familiar adversary. The use of fake installers targeting Chinese users, combined with the specific malware payload, links this campaign to the Silver Fox APT group.
“ValleyRat was first identified in 2023 and is believed to be linked to the threat group Silver Fox APT,” Cybereason notes.
The report also found similarities to another malware family called SADBRIDGE, the only other known threat to use the PoolParty Variant 7 technique. This shared DNA suggests that the group is actively sharing tools or evolving its arsenal to stay ahead of defenders.
As this campaign continues to target users with fake installers for LINE, ToDesk, and AnyDesk, users are urged to verify digital signatures carefully. As the report warns, a valid-looking certificate that fails verification is a tell-tale sign of tampering.
Related Posts:
- ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
- Silver Fox APT: Chinese Threat Actor Deploys Trojanized Medical Software in Stealth Espionage Campaign
- ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
- Silver Fox APT Uses Cyrillic False Flag in Teams SEO Poisoning to Deploy ValleyRAT
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
