CyberNetsecIOFeb 4

๐Ÿ“ฐ Fake LINE Messenger Installer Spreads ValleyRAT Malware

A fake LINE messenger installer is being used to spread ValleyRAT malware. The campaign, linked to the Silver Fox APT, targets Chinese-speaking users for credential theft. ๐ŸฆŠ #Malware #ValleyRAT #CyberSecurity

๐Ÿ”— https://cyber.netsecops.io/articles/fake-line-installer-spreads-valleyrat-malware/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

Fake LINE Messenger Installer Spreads ValleyRAT Malware

The Silver Fox APT group is distributing the ValleyRAT remote access trojan through a trojanized installer for the LINE messaging app to steal credentials from Chinese-speaking users.

CyberNetSec.io
The Threat CodexFeb 3
Fake Installer: Ultimately, ValleyRAT infection
#ValleyRAT
https://www.cybereason.com/blog/fake-installer-valleyrat
Fake Installer: Ultimately, ValleyRAT infection

In this Threat Analysis Report, Cybereason explores the fake installer, ValleyRAT

James_inthe_boxDec 19

Some fresh (2025-12-18) #silverfox #valleyrat

https://app.any.run/tasks/5f8778b4-7a5a-42fc-b814-4951c356c274

ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Daniel Kuhl โœŒ๐Ÿปโ˜ฎ๏ธโ˜•๏ธDec 17

#CheckPoint Research exposed #ValleyRATโ€™s modular system, including a kernel-mode #rootkit that can remain loadable on fully updated #Windows 11 despite built-in protections. The research linked leaked builder artifacts to plugins and identified about 6,000 samples, with roughly 85 percent emerging in the last six months after the builderโ€™s public release.

https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/

Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits - Check Point Research

Highlights: Introduction Throughout 2025, we conducted and published several reports related to our research on the Silver Fox APT. In some of them (for example, here), the threat actor delivered the well-known ValleyRAT backdoor, also referred to as Winos or Winos4.0, as the final stage. Since this malware family is widely used, modular, and often associated with Chinese threat actors [โ€ฆ]

Check Point Research
TechNaduDec 5

New analysis reveals a Silver Fox operation using a fake Microsoft Teams installer to deploy ValleyRAT in attacks targeting China-based users.

The campaign mixes SEO poisoning, Cyrillic false-flag elements, DLL injection, and BYOVD techniques - making detection and attribution more challenging.

Researchers also note a secondary chain using a trojanized Telegram installer.

Whatโ€™s your perspective on increased abuse of trusted-app installers in malware campaigns?

Source: https://thehackernews.com/2025/12/silver-fox-uses-fake-microsoft-teams.html

๐Ÿ’ฌ Join the discussion
๐Ÿ‘ Boost & follow for more threat intelligence

#CyberSecurity #ThreatIntel #ValleyRAT #SilverFox #InfoSec #MalwareResearch #SecurityOps #CyberThreats

Show threadMalwareAliasDec 5

Mentioned Malware Families: ValleyRAT, PureRAT

Aliases for ValleyRAT: win.valley_rat, Winos
Malpedia link for ValleyRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat
Aliases for PureRAT: win.pure_rat, PureHVNC, ResolverRAT
Malpedia link for PureRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.pure_rat

#ValleyRAT #PureRAT

Aliases provided by Malpedia.

ValleyRAT (Malware Family)

Details for the ValleyRAT malware family including references, samples and yara signatures.

Show threadMalwareAliasDec 5

Mentioned Malware Families: ValleyRAT, PureRAT

Aliases for ValleyRAT: win.valley_rat, Winos
Malpedia link for ValleyRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat
Aliases for PureRAT: win.pure_rat, PureHVNC, ResolverRAT
Malpedia link for PureRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.pure_rat

#ValleyRAT #PureRAT

Aliases provided by Malpedia.

ValleyRAT (Malware Family)

Details for the ValleyRAT malware family including references, samples and yara signatures.

Show threadMalwareAliasDec 5

Mentioned Malware Families: ValleyRAT, PureRAT

Aliases for ValleyRAT: win.valley_rat, Winos
Malpedia link for ValleyRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat
Aliases for PureRAT: win.pure_rat, PureHVNC, ResolverRAT
Malpedia link for PureRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.pure_rat

#ValleyRAT #PureRAT

Aliases provided by Malpedia.

ValleyRAT (Malware Family)

Details for the ValleyRAT malware family including references, samples and yara signatures.

๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒDec 5

RE: https://infosec.exchange/@VirusBulletin/115660902138702248

How is this #ValleyRAT? It looks, swims and quacks like #PureRAT.
Here are some typical PureRAT indicators:
 .NET malware
๐Ÿ”‘ TLS version is 1.0
๐Ÿซ† JA3 fc54e0d16d9764783542f0146a98b300 / 07af4aa9e4d215a5ee63f9a0a277fbe3
๐Ÿซ† JA4 t10i070500_c50f5591e341_950472255fe9 / t10i060500_4dc025c38c38_950472255fe9
๐Ÿซ† JA3S b74704234e6128f33bff9865696e31b3
๐Ÿ“ X.509 cert expires 9999-12-31 23:59:59 UTC
๐Ÿ“ก C2 often runs on TCP 56001
All of them match on the sample analyzed in Trend's report

Show threadMalwareAliasNov 20

Mentioned Malware Families: PseudoManuscrypt, ValleyRAT

Aliases for PseudoManuscrypt: win.pseudo_manuscrypt
Malpedia link for PseudoManuscrypt: https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt
Aliases for ValleyRAT: win.valley_rat, Winos
Malpedia link for ValleyRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat

#PseudoManuscrypt #ValleyRAT

Aliases provided by Malpedia.

PseudoManuscrypt (Malware Family)

According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).