Fake Huorong Download Site Used to Deploy ValleyRAT Backdoor in Targeted Malware Campaign

A group of attackers has built a fake version of the Huorong Security antivirus website to trick users into downloading ValleyRAT, a Remote Access Trojan (RAT) built on the Winos4.0 framework.

The campaign is linked to the Silver Fox APT group, a Chinese-speaking threat actor known for distributing trojanized versions of popular Chinese software.

Huorong Security, known in Chinese as 火绒, is a free antivirus product widely used across mainland China. The attackers registered huoronga[.]com — a near-perfect copy of the legitimate huorong.cn — with just one extra letter added at the end.

This typosquatting trick catches users who mistype the address or arrive via a phishing link. The page looks convincing enough that most visitors would suspect nothing.

Malwarebytes analysts identified the full infection chain, noting that when a visitor clicks the download button, the request is silently routed through an intermediary domain before the payload is served from Cloudflare R2 storage.

The file, named BR火绒445[.]zip, uses Huorong’s Chinese name to keep the disguise intact up to the point of execution.

The attack does not rely on a zero-day exploit to work. It depends entirely on a convincing website, a realistic installer, and the assumption that many users simply click the first search result.

Since the lure is a security product, the deception is even more effective — targeting people actively trying to protect themselves.

Once ValleyRAT is installed, attackers can monitor victims, steal sensitive data, and remotely control the compromised system.

The malware captures keystrokes, reads browser cookie files, queries system information, and injects code into other processes for stealthy execution.

Its modular design allows additional capabilities to be downloaded on demand, making the full scope of an infection difficult to measure.

Persistence and Evasion Tactics

After gaining access, ValleyRAT instructs Windows Defender via PowerShell to ignore its persistence directory (AppDataRoamingtrvePath) and its main process (WavesSvc64.exe).

It then creates a scheduled task named “Batteries” at C:WindowsTasksBatteries.job, which re-runs the malware on every system boot and reconnects to its C2 server at 161.248.87[.]250 over TCP port 443.

To stay hidden, the malware deletes and rewrites its own core files to avoid signature detection. It also checks for debuggers and virtual machine environments before fully deploying.

Configuration data, including the encoded C2 domain yandibaiji0203[.]com, is stored in the registry under HKCUSOFTWAREIpDates_info.

Organizations should block outbound connections to 161.248.87[.]250, audit Defender exclusions for unauthorized changes, and search endpoints for the “Batteries” scheduled task and the %APPDATA%trvePath directory as signs of infection.

Indicators of Compromise (IOCs)

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.