ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks

Morphisec Threat Labs has uncovered a sophisticated multi-stage malware campaign attributed to the Silver Fox APT, leveraging updated delivery techniques to deploy ValleyRAT, a Remote Access Trojan (RAT) that has evolved to bypass detection and persist within compromised systems.

The attackers are refining their tactics, techniques, and procedures (TTPs), utilizing new phishing domains, DLL hijacking techniques, and abused legitimate software binaries to execute their malicious payloads.

Silver Fox APT is using multiple distribution vectors to spread ValleyRAT, including:

• Phishing emails containing malicious attachments
• Fake software installers disguised as legitimate applications
• Deceptive websites impersonating trusted companies

One of the most notable discoveries was a phishing website masquerading as a Chinese SMS provider, designed to lure victims into downloading ValleyRAT.

“The attackers have used an additional phishing website, faking a legitimate Chinese SMS provider, by the URL https://karlost[.]club/,” Morphisec reveals. This tactic enables the stealthy deployment of a downloader that executes a series of malicious payloads on the victim’s system.

The infection chain begins when the victim downloads a fake Chrome browser installer from the malicious website https://anizom[.]com/. The installer, named Setup.exe, contains multiple payloads:

• sscronet.dll – a malicious DLL used for process injection
• douyin.exe – an executable that exploits DLL sideloading techniques
• mpclient.dat – containing encrypted shellcode and a secondary payload
• tier0.dll – a DLL linked to Valve’s Source Engine to aid stealth execution

The attack proceeds through DLL injection and process hollowing, allowing the malware to hide within legitimate system processes like svchost.exe.

“The Cronet_UrlRequest_Start export function searches for a process named svchost.exe… Once the process is located, it allocates memory within it and writes data to the allocated space,” the report explains. This sophisticated approach helps evade detection by security tools while maintaining persistence.

The ValleyRAT payload enables extensive system control, with features including:

• Keylogging: The malware can record keystrokes and store them in sys.key for later exfiltration.
• Screen Monitoring: It enumerates and captures monitor data to track the victim’s screen activity.
• Process Injection & Execution: Uses APC injection, process hollowing, and DLL sideloading to run stealthily.
• Persistence Mechanisms: Achieved through registry modifications and disguised startup executables.

Notably, ValleyRAT also checks for VMware environments to evade analysis.

“The code checks if it is running inside a VMware virtual machine by looking for the ‘C:\Program Files\VMware\VMware Tools’ directory and specific VMware processes,” the report highlights.

Once fully deployed, ValleyRAT establishes communication with C2 servers, allowing the attackers to issue remote commands such as:

• Execute or drop DLLs and executables
• Download additional payloads
• Modify system registry keys
• Manipulate system processes

According to Morphisec, ValleyRAT is capable of executing encrypted payloads directly in memory, a technique designed to bypass traditional antivirus solutions.

Morphisec warns: “This actor has increasingly targeted key roles within organizations—particularly in finance, accounting, and sales departments—highlighting a strategic focus on high-value positions with access to sensitive data and systems.”

Related Posts:

• Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
• Real-Time Deepfakes Unveiled at DEF CON: Be Prepared to Be Shocked
• Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
• Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site