Cybercriminals are ramping up their efforts with new, deceptive tactics to deliver ValleyRAT, a potent remote access trojan (RAT), by masquerading fake Google Chrome download sites. These campaigns, believed to be orchestrated by the Silver Fox threat actor, have taken aim at high-value targets in Chinese-speaking regions and increasingly exploit DLL hijacking techniques to evade detection.
🎯 Who’s Being Targeted?
The campaigns predominantly target professionals in finance, sales, and accounting—roles with privileged access to sensitive data and systems. The malicious actors use drive-by download schemes to redirect users searching for Chrome to fraudulent websites hosting a ZIP archive containing Setup.exe.
Once executed, this file downloads additional payloads, including a legitimate copy of Douyin, the Chinese version of TikTok, which is then exploited to sideload a rogue DLL (tier0.dll)—ultimately launching ValleyRAT on the victim’s system.
🧪 Inside the Attack Chain
According to a Morphisec threat report, this operation uses clever evasion and persistence tactics:
Privilege Check: Setup binary verifies admin access.
Payload Chain:
Douyin.exe: A legitimate app used to sideload malicious DLL.tier0.dll: Core payload loader for ValleyRAT.sscronet.dll: Terminates specific processes to bypass security tools.
ValleyRAT itself is compiled in Chinese and written in C++. It is engineered to:
Log keystrokes
Capture screen activity
Establish command-and-control (C2) communication
Download and execute arbitrary binaries or DLLs
Maintain persistence on infected machines
ValleyRAT’s functionality mirrors other China-linked malware such as Gh0st RAT and Purple Fox, which were previously distributed through malicious installer packages impersonating Chrome.
🔐 Why DLL Hijacking Matters
A core tactic in this campaign is the use of DLL search order hijacking. This method involves abusing signed executables that inadvertently load malicious DLLs from directories under attacker control. This technique is stealthy, as it leverages legitimate, signed binaries—increasing the likelihood of bypassing traditional antivirus software.
🛡️ How to Stay Protected
Here are several proactive steps you or your organization can take to mitigate these threats:
Download from Trusted Sources Only: Encourage users to only download software from official vendor sites like Google Chrome’s official page.
Use EDR & Behavioral Detection: Implement endpoint detection and response tools that can detect suspicious behaviors, not just known malware signatures.
Patch Management: Regularly update all software and systems to eliminate vulnerabilities exploitable by DLL hijacking.
DLL Monitoring: Use tools to monitor for suspicious DLL sideloading or unusual process injection behavior.
Block IOCs and Domains: Integrate threat intelligence feeds that list known malicious domains and hashes associated with ValleyRAT.
🧬 Related Threats: SVG Phishing and AutoIt Malware
This discovery comes alongside another Sophos report highlighting phishing campaigns using SVG file attachments to bypass email security filters. These attachments deliver AutoIt-based keystroke loggers like Nymeria, or redirect users to credential phishing pages—expanding the ecosystem of stealthy, multi-stage threats.
📝 Final Thoughts
This campaign underscores a broader trend in cybercrime: blending social engineering with technical stealth, such as DLL hijacking and signed executable abuse. As malware like ValleyRAT grows more modular and evasive, organizations must shift from reactive to proactive cybersecurity postures.
If your business needs help protecting against advanced threats like these, CloudVanguard IT provides 24/7 threat monitoring, endpoint protection, and compliance assessments tailored for industries like law, logistics, and finance.
