ACCORDING to Cybereason Security Services, a new threat campaign disguises malware as popular installers to deliver ValleyRat (also known as Winos 4.0), a remote access trojan linked to Silver Fox APT, targeting Chinese-speaking users with fake LINE installers. The campaign stands out for its rare PoolParty Variant 7 process-injection technique, which manipulates Windows I/O Completion Ports and uses the ZwSetIoCompletion() API to trigger code execution, hiding inside trusted processes like Explorer.
Researchers note a robust watchdog system that restarts the infection by injecting code into Explorer[.]exe and UserAccountBroker[.]exe, representing a major upgrade from earlier batch-file-based checks. The malware actively scans for, and attempts to disable, Chinese security software such as Qihoo 360 by removing TCP connections to affected processes.
The report links ValleyRAT to Silver Fox APT, and also notes similarities to SADBRIDGE, suggesting tool sharing or evolution; as the campaign continues, users are urged to verify digital signatures on installers for LINE, ToDesk, and AnyDesk, since a valid-looking certificate that fails verification is a tell-tale sign of tampering.