New ValleyRAT malware spreading via fake Chrome downloads
A new variant of the well-known Remote Access Trojan (RAT), ValleyRAT, has been discovered in a sophisticated campaign where users are tricked into installing fake versions of Google Chrome. According to cybersecurity firm Morphisec, who identified the latest campaign, this variant is even more advanced than previous versions and appears to be linked to the Chinese cyber threat group Silver Fox.
Introduction to ValleyRAT
ValleyRAT is a sophisticated, multi-stage malware attributed to the Silver Fox APT group. This remote access trojan (RAT) primarily targets Chinese-speaking users through coordinated phishing campaigns, aiming to monitor and control infected systems. Designed to deploy additional malicious plugins for further damage, ValleyRAT represents a significant threat to organizations. Its ability to evade detection by loading its components in stages allows it to remain hidden and persistent on the target system throughout the attack.
Infection chain
The ValleyRAT infection chain begins with a phishing email or a malicious website that tricks the user into downloading a malicious MSI package disguised as legitimate software. This MSI package leverages the Windows Installer’s CustomAction feature to execute malicious code, including running an embedded malicious DLL. The embedded DLL decrypts an archive named all.zip using a hardcoded password “hello202411” to extract the core malware components. By utilizing the Windows Installer’s CustomAction feature, the malware can seamlessly execute malicious code, ensuring the embedded DLL performs its task of decrypting and extracting the core components without raising suspicion.
How is ValleyRat malware spread?
Attackers use phishing attacks to deliver malicious files disguised as legitimate software through fake download websites, distributing a convincingly legitimate but malicious version of Chrome. One of the domains identified in the campaign is anizom[.]com. When a user downloads and runs the fake installation file, a series of malicious activities is triggered:
-
Downloads a malicious .NET executable file, which checks system privileges and determines if the infected system has administrative access.
-
Fetches a DLL file named sscronet.dll, injecting malicious code into Windows system processes, including svchost.exe, allowing it to run persistently without detection.
-
Exploits DLL sideloading through a modified version of the Chinese TikTok app (Douyin) to mask its presence and avoid antivirus detection.
-
Uses legitimate game files from ‘Left 4 Dead 2’ and ‘Killing Floor 2’ to inject and execute malware via nslookup.exe, a commonly used Windows tool, making detection even harder for security solutions.
-
Deploys the final ValleyRAT payload from a file called mpclient.dat, which is executed directly in memory using Donut shellcode, ensuring that traditional antivirus programs fail to detect it as it leaves no trace on disk.
-
Establishes communication with a remote command-and-control (C2) server, allowing attackers to issue commands, exfiltrate sensitive data, and install additional malware payloads.
If you’re unsure about what malware is and how it operates, dive into our blog post on malware to learn more.
Why is ValleyRAT a critical threat as a remote access trojan?
ValleyRAT represents a significant escalation in cyber threats due to its advanced stealth capabilities, modular functionality, and ability to persist within infected systems. The malware's installation process involves initializing its command and control (C2) IP addresses and ports within its code. Unlike traditional malware that relies on disk-based execution, ValleyRAT leverages memory-based techniques to bypass security measures. This makes it highly difficult for traditional antivirus solutions to detect and remove it.
Furthermore, ValleyRAT’s ability to utilize legitimate Windows processes and trusted third-party software as part of its infection chain highlights the growing sophistication of cybercriminals. By leveraging widely used applications and system tools, the malware can remain hidden for extended periods while executing malicious actions in the background.
Who is behind the attack
The latest variant of ValleyRAT has been linked to Silver Fox, a Chinese threat actor previously involved in cybercrime and cyber espionage against both businesses and government organizations. This group has a history of:
-
Using RATs to steal sensitive corporate data and financial information.
-
Engaging in long-term cyber espionage campaigns targeting critical industries.
-
Deploying malware variants that exploit legitimate system tools to evade detection.
Given their past activity, it is likely that Silver Fox is using ValleyRAT as part of a broader intelligence-gathering operation, potentially selling stolen information or leveraging it for state-sponsored cyber activities.
Who are the targets of infected systems?
This campaign appears to be specifically targeting:
-
Financial institutions, likely to gain access to banking credentials and transactional data.
-
Accounting and auditing firms, where valuable financial records and confidential data are stored.
-
Sales and marketing departments in corporations, as they handle large volumes of customer and business data.
The objective is to steal business-critical data, login credentials, and sensitive corporate documents that can be used for further cybercriminal activities, including fraud, ransomware attacks, or insider trading schemes. Learn more about how ransomware works and how to protect against it in our blog post.
How to protect against ValleyRAT's malicious code
To avoid falling victim to this type of malware, businesses and individuals should follow these security measures:
-
Avoid downloading software from unknown sources – Always verify download URLs and only obtain software from official websites.
-
Keep your software updated – Ensure operating systems, browsers, and security tools receive regular updates and patches.
-
Implement endpoint protection solutions – Use behavioral-based detection tools that can identify memory-based malware threats. Malware often interacts with the Process Environment Block (PEB) to modify process parameters and execute malicious code, thereby evading detection.
-
Train employees in cybersecurity awareness – Conduct regular training sessions to educate staff on phishing attacks, fake download scams, and social engineering tactics.
-
Monitor network traffic for anomalies – Set up intrusion detection systems (IDS) to track unusual activity and unauthorized communications to external servers.
-
Use application whitelisting – Restrict the execution of non-approved applications to prevent unauthorized software from running.
-
Deploy a robust incident response plan – Have a structured protocol in place to mitigate malware infections and respond to security breaches efficiently.
Conclusion
ValleyRAT is a clear example of the increasing sophistication of modern cyber threats. This new variant not only expands on previous capabilities but also integrates cutting-edge evasion techniques that make detection and mitigation challenging. Organizations must remain vigilant, implementing strong cybersecurity policies and proactive defense strategies to counteract these evolving threats. Moxso can help strengthen your team's cybersecurity awareness with training programs designed to prevent cyber threats.
The discovery of ValleyRAT by Morphisec underscores the growing importance of behavioral analysis, memory-based threat detection, and continuous monitoring in cybersecurity. Without these advanced security layers, organizations remain vulnerable to persistent cyber espionage and data theft campaigns that can have devastating financial and reputational consequences.
Given its highly targeted nature and advanced stealth tactics, ValleyRAT serves as a reminder that cybercriminals are continuously innovating. Staying informed and adopting a proactive security mindset is the best way to protect against emerging cyber threats like this one.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup