Fake Huorong security site infects users with ValleyRAT
Essential information
- Published
- 23/02/2026 15:00
- Modified
- 23/02/2026 22:51
- Tags
- 2026-02-23 antivirus impersonation apt china dll sideloading huorong security remote access trojan typosquatting valleyrat winos4.0
- Related entities
- 7 observables, 1 intrusion sets (apt), 13 techniques (mitre), 8 others
Description
A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.