John
Out of nowhere, fake versions of Huorong Security’s antivirus began appearing online. These copies weren’t harmless mistakes – they carried a powerful spying tool called ValleyRAT. Instead of protecting devices, the malicious installers opened backdoors.
Visitors reached these traps by mistyping web addresses, landing on look-alike sites. Behind it all, hackers counted on brand loyalty to slip past suspicion. Once inside, their malware dug in deep, staying hidden as it gained control.
Users who thought they were updating protection actually invited intrusion. Trust became the weakest link. The real danger wasn’t just the code – it was how closely the fakes mirrored the original. Quiet persistence replaced loud attacks, making detection harder
Campaign Mechanics
Attackers registered domains like huoronga[.]com, mimicking the official huorong a CN site with near-identical visuals to fool visitors. Users arriving via mistyped URLs, search poisoning, or phishing links encounter a convincing fake download page offering the “BR火绒445[.]zip” file, named in Chinese characters to sustain deception.
Upon clicking download, traffic routes through hndqiuebgibuiwqdhr[.]cyou to Cloudflare R2 storage at pub-b7ce0512b9744e2db68f993e355a03f9.r2[.]dev, leveraging trusted infrastructure for payload delivery. The ZIP contains a trojanized NSIS installer, chosen for its benign reputation and familiar installation flow, that drops a desktop shortcut “火绒.lnk” to mimic a successful antivirus setup.
Files land in the Temp folder through an installer, mixed among harmless-appearing items – FFmpeg libraries sit beside counterfeit .NET fixers, copies of Huorong diagnostics tucked close by. Hidden inside are harmful pieces: one called WavesSvc64.exe acts like a real audio helper for games, its debug info pointing to ordinary source paths.
Another file, DuiLib_u.dll, waits silently, ready to take control when called. A small config named box.ini stores scrambled instructions that can only be unlocked. When launched, the system gets tricked into loading the fake library instead of the true one.
That switch lets the corrupted module pull out encoded data, run it directly in active memory, bypassing normal checks. The whole chain leans on subtle mimicry, slipping past detection by looking routine.
Inside memory, operations run like Catena once did – leaving little trace on storage, slipping past code scanners.
From .ini settings, the sequence quietly slips into the process, delivering ValleyRAT based on Winos4.0 without noise.
Persistence and Evasion Tactics
Starting quietly, ValleyRAT locks in by tweaking system settings through PowerShell running with elevated rights. This setup slips past defenses by marking its trail – AppData\Roaming\trvePath – and a helper named WavesSvc64.exe as off-limits to built-in antivirus sweeps. Once tagged, those spots stay hidden from routine checks.
Every time the system starts, a job named Batteries runs from C:\Windows\Tasks\Batteries.job, kicking off WavesSvc64.exe /run without warning. This triggers updates to exclusion settings while phoning home to a command server.
Instead of leaving traces behind, it wipes key components – WavesSvc64.exe among them – then drops fresh copies. Files such as DuiLib_u.dll, libexpat.dll, box.ini, and vcruntime140.dll get rewritten on each cycle. Because of this swap-out pattern, cleaning up becomes messy fast.
C2 details such as yandibaiji0203[.]com land inside HKCU\SOFTWARE\IpDates_info, while scrambled program files hide under HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e.
When it checks its surroundings, the malware sniffs out debuggers by scanning window names; sometimes, it looks at BIOS traits or network gear clues.
Found traces of VirtualBox leave a signal it watches for – disk size, RAM amount, and also raises flags. It confirms the location using the system language settings and locks the behavior if the system language is not set to Chinese.
C2 With Modular Features
Starting at 161.248.87[.]250:443, the stager speaks through a homemade binary format disguised as regular HTTPS traffic.
Because it mimics secure web connections, basic TLS inspections fail to catch it. Detection tools relying on known patterns, such as ET SIDs 2052875, 2059975, and 2052262, spot signs of Winos4.0 activity – login attempts, replies, along with setup signals tied to ProcessKiller.
That last piece targets security software from Qihoo 360, Huorong, Tencent, and Kingsoft.
A strange pattern shows up when rundll32.exe runs without expected DLL inputs – something sandboxes catch fast.
Modular pieces of WinosStager pop out during analysis, loading tools only when needed. After access is gained, keystroke capture begins using Windows hook methods. Hidden code slips into paused programs, quietly pulling login data from browser storage and system settings.
System details, such as machine name and active tasks, get scanned next. Memory areas marked for full access appear where malicious routines run.
Old traces are automatically removed, leaving little behind except a log file tucked inside ProgramData named DisplaySessionContainers.log. Lock mechanisms tagged with dates like 2026. 2. 5 Keep operations in sync.
Attribution Insights
That activity matches Silver Fox APT, a China-linked crew active since 2022, using fake versions of local software – QQ Browser, LetsVPN, game helpers – to push ValleyRAT or Winos4.0. Posing as security tools attracts those seeking safety; traces in the code point straight back to Chinese users.
A sudden jump in ValleyRAT samples followed a GitHub breach in March 2025. Most of the nearly 6,000 instances appeared after that event. Before it, activity was lower. 85% emerged once the leak occurred. This spread suggests others besides Silver Fox now use the tool.
Fake Teams SEO Poisoning
Attackers spoof teamscn[.]com as a Microsoft Teams download hub, targeting Chinese users via SEO and Cyrillic false flags to mimic Russian actors. ZIP “MSTчamsSetup.zip” drops Setup.exe, which adds Defender exclusions for drives C-F:, deploys Russian-labeled vcredist_x86.exe loader reading Profiler.json/GPUCache.xml, and rundll32.exe executes AutoRecoverDat.dll for C2 at Ntpckj[.]com:18852 (134.122.128[.]131).
A fresh twist in the ValleyRAT network slips a real Teams setup alongside sneaky code running in the background, opening the door to spying and scams; links in the backend trace back to old Silver Fox tricks using fake Telegram services hosted on Alibaba Cloud.
Trojanized Medical Software
One moment, it looks like a regular medical tool; the next, corrupted code slips inside. That fake Philips viewer? It runs MediaViewerLauncher.ex,e carrying Winos4.0 tricks. Files come down from Alibaba storage spots, buckets named odd things like i.dat.
Inside those, config points steer toward a seemingly blank a.gif – really vseamps.exe masked under Cyren alerts. A sneaky DLL called vselog.dll wakes up first.
Then comes 189atohci.sys, slipped in to knock out security tools using TrueSightKiller methods. Once hidden, the system feeds malicious shellcode straight into memory.
While running through RPC jobs, TO7RUF.exe checks for antivirus tools such as MsMpEng.exe and NisSrv.exe. It slips past security by ignoring folders like C:\ProgramData and Users\Public in Windows Defender.
A keystroke logger shows up next to a remote access tool pointing to 8.217.60[.]40 on port 8917. Hidden mining software activates simultaneously, working behind the scenes.
Taiwan-Focused Winos Campaigns
A wave of digital traps swept across Taiwan, one moment a document looks harmless – next thing, malicious code sneaks in through hidden pathways. Some attacks piggybacked on legitimate software, slipping dangerous elements where they do not belong.
Fake messages about wages appeared normal at first glance, yet triggered silent downloads behind the scenes. A campaign nicknamed Holding Hands used official-looking alerts from tax authorities to trick users into opening harmful attachments.
Inside those files, small programs awakened others stored deep within system memory. The payload, known as ValleyRAT, took hold without touching the hard drive, making it harder to catch.
Fake Chrome and Other Browsers
Built-to-fail Chrome setups slip in PNGPlug, which unpacks ValleyRAT. Hidden behind legit-looking files, one malicious payload rides next to another – Purple Fox shares space with Gh0st. These infections chase high-value Chinese targets. A sneaky DLL swap tricks trusted programs into loading malware instead.
Indicators of Compromise
| Category | IOC |
|---|---|
| Fake Domains | huoronga[.]com, huorongcn[.]com, huorongh[.]com, huorongpc[.]com, huorongs[.]com |
| Redirect/Payload | hndqiuebgibuiwqdhr[.]cyou, pub-b7ce0512b9744e2db68f993e355a03f9.r2[.]dev |
| C2 | 161.248.87[.]250:443, yandibaiji0203[.]com |
| SHA-256 Hashes | 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4 (NSIS), db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e (WavesSvc64.exe), d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2 (DuiLib_u.dll), 07aaaa2d3f2e52849906ec0073b61e451e0025ef2523dafbd6ae85ddfa587b4d (WinosStager #1), 66e324ea04c4abbad6db4f638b07e2e560613e481ff588e0148e33e23a5052a9 (#2), 47df12b0b01ddca9eb116127bf84f63eb31e80cec33e4e6042dff1447de8f45f (#3) |
| Host Indicators | Batteries.job at C:\Windows\Tasks\Batteries.job, %APPDATA%\trvePath, HKCU\SOFTWARE\IpDates_info, HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e, C:\ProgramData\DisplaySessionContainers.log, WavesSvc64.exe, rundll32.exe (no args) |
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Initial Access | T1189 Drive-by Compromise |
| Execution | T1059.001 PowerShell |
| Persistence | T1053.005 Scheduled Task |
| Defense Evasion | T1562.001 Impair Defenses, T1574.002 DLL Side-Loading, T1027 Obfuscated Files, T1218.011 Rundll32 |
| Credential Access | T1555 Credentials from Password Stores |
| Discovery | T1082 System Information, T1057 Process Discovery |
| Collection | T1056.001 Keylogging |
| C2 | T1071 Application Layer Protocol |
| Impact | T1070.004 File Deletion |
Protection
Start by checking which domain is legit – only huorong.cn counts. Look through Add-MpPreference logs to review what Defender lets slide. Track down anything tied to the Batteries job, files in the trvePath folder, or entries under IpDates_info.
That IP address, 161.248.87.250, needs a hard stop. Watch how rundll32 acts when it runs; also, keep an eye on WavesSvc64.exe doing odd things.
Something sneaky might still linger after you delete files. Malwarebytes stops many versions of bad software by default. For older Windows systems such as Winos4.0, an intrusion detection setup helps catch odd behavior early.
Clean things properly, and wipe leftover tasks one by one. Remove any old exceptions that let threats slip through in the past. Dig into system settings and manually remove risky entries from the registry. Only then run another antivirus check to confirm it is truly gone.
FAQ
A silent tool named ValleyRAT runs on Winos4.0, built in pieces that add functions one by one. Keystrokes get captured when certain modules turn on. Other parts slip code into running processes, quietly taking hold. Information gathering kicks in only when triggered, never automatic. Antivirus tools are shut down piece by piece using specific extensions. Each task depends on separate plugins loading at the right moment.
A fake version of huoronga.com copies huorong.cn closely. It tricks visitors by sending them to a harmful file inside a ZIP. That compressed package delivers an NSIS-based Trojan instead of safe content. The attack relies on misspelled domains to mislead users quietly. Redirects guide people straight into downloading malicious software.
Running Batteries task now opens the trvePath directory. Inside, WavesSvc64.exe waits without activity. The system calls rundll32, yet no arguments appear. Defender exclusion settings sit unchanged nearby.
One group called Silver Fox targets people in China. The stolen data has now spread beyond its original purpose.
Stop running programs using task manager or terminal tools. Removing unwanted files often means editing system entries carefully. Updated antivirus software checks for hidden threats after changes. Resetting protection settings helps clear old exceptions manually.
Site: thecybrdef.com
