Cyber attackers are leveraging fraudulent websites disguised as legitimate Google Chrome download pages to distribute a dangerous remote access trojan (RAT) known as ValleyRAT. This sophisticated malware campaign employs DLL hijacking techniques to infect unsuspecting users.
Who Is Behind the Attack?
ValleyRAT, first identified in 2023, has been linked to the Silver Fox threat actor group. Previous attack campaigns have primarily targeted Chinese-speaking regions such as Hong Kong, Taiwan, and Mainland China. However, recent evidence suggests that cybercriminals are increasingly focusing on high-value corporate targets, particularly in finance, accounting, and sales departments—sectors that have access to sensitive company data and financial systems.
"This actor has increasingly targeted key roles within organizations, highlighting a strategic focus on high-value positions with access to sensitive data and systems," said Shmuel Uzan, a security researcher at Morphisec.
How ValleyRAT is Delivered
Attackers are deploying ValleyRAT through malicious software installers that often include other malware strains such as Purple Fox and Gh0st RAT—both commonly used by Chinese hacking groups. As recently as January 2025, fake software installers have served as a primary vector for distributing ValleyRAT, using a DLL loader called PNGPlug.
A similar campaign previously targeted Chinese-speaking Windows users, using malicious Chrome installer packages to deliver Gh0st RAT via a drive-by download scheme.
New Attack Method: Fake Chrome Download Pages
The latest iteration of the ValleyRAT campaign involves fake Google Chrome websites designed to deceive users into downloading a ZIP archive containing a malicious Setup.exe file.
"The deceptive Chrome installer site was previously leveraged to download the Gh0st RAT payload, suggesting a connection between these attack clusters," said Michael Gorelik, CTO at Morphisec.
These fake Chrome download links are widely distributed through drive-by downloads, targeting users who search for the browser online. Unsuspecting victims inadvertently download the compromised installer, exposing them to malware infection.
How ValleyRAT Executes the Attack
Once executed, the Setup.exe binary performs the following malicious actions:
Privilege Escalation: Checks for administrator privileges before proceeding.
Payload Deployment: Downloads four additional payloads, including a legitimate executable associated with Douyin (Chinese TikTok).
DLL Hijacking: Uses Douyin.exe to sideload a malicious tier0.dll file, which then executes ValleyRAT.
Process Termination: Retrieves another DLL (sscronet.dll) that kills any process listed in an internal exclusion list.
ValleyRAT Capabilities
Written in C++ and compiled in Chinese, ValleyRAT is designed to:
Monitor screen activity
Log keystrokes
Establish persistence on the host system
Communicate with a remote command-and-control (C2) server
Enumerate running processes
Download and execute additional malicious DLLs and binaries
Attackers abuse legitimate signed executables that are vulnerable to DLL search order hijacking, allowing ValleyRAT to evade detection and gain unauthorized system access.
Phishing Attacks Using SVG Attachments
This development coincides with Sophos’ latest findings on phishing attacks utilizing Scalable Vector Graphics (SVG) attachments. These SVG-based attacks help malware evade security detection, enabling the delivery of AutoIt-based keyloggers like Nymeria or directing victims to credential harvesting pages.
Protect Yourself from ValleyRAT Attacks
To safeguard against these malware threats, users and organizations should:
Download software only from official sources (Google Chrome’s official site, verified app stores).
Avoid clicking on suspicious links in emails, social media, or search results.
Use endpoint security solutions that detect and block DLL hijacking attempts.
Regularly update software and operating systems to patch known vulnerabilities.
Enable multi-factor authentication (MFA) to secure sensitive accounts.
Final Thoughts
Cybercriminals continue to evolve their tactics, leveraging fake websites and DLL hijacking to distribute malware. The ValleyRAT campaign serves as a stark reminder of the importance of cyber hygiene, vigilance, and advanced threat detection mechanisms to mitigate security risks.