MALWAREBYTES reports a fake Huorong Security site that delivers ValleyRAT, a sophisticated backdoor built on the Winos4.0 framework, to users who click the impostor installer. The campaign, which is described as being carried out by the so‑called Silver Fox APT group, uses a typosquatted Huorong domain huoronga[.]com to lure victims and serves a trojanized NSIS installer that ultimately drops a backdoor with stealth and DLL sideloading capabilities.
The attackers route the download through an intermediary domain before serving the payload from Cloudflare R2 storage, and the ZIP contains components such as WavesSvc64[.]exe, DuiLib_u.dll and box[.]ini, along with decoy files. Windows is tricked into loading the malicious DuiLib_u.dll via DLL sideloading, loading encrypted shellcode from box[.]ini and executing it in memory, while persistence is achieved with a scheduled task named Batteries (C:\Windows\Tasks\Batteries[.]job) and a directory in APPDATA.
The campaign also features Defender exclusions, C2 communications to 161.248.87[.]250 over TCP 443, and a modular chain that includes in‑memory shellcode and multiple WinosStager DLLs, enabling monitoring, credential access and remote control after infection.