Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking

The Hacker News by The Hacker News
February 6, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Feb 06, 2025Ravie LakshmananCyber Attack / Malware

Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT.

The malware, first detected in 2023, is attributed to a threat actor tracked as Silver Fox, with prior attack campaigns primarily targeting Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China.

“This actor has increasingly targeted key roles within organizations—particularly in finance, accounting, and sales department — highlighting a strategic focus on high-value positions with access to sensitive data and systems,” Morphisec researcher Shmuel Uzan said in a report published earlier this week.

Cybersecurity

Early attack chains have been observed delivering ValleyRAT alongside other malware families such as Purple Fox and Gh0st RAT, the latter of which has been extensively used by various Chinese hacking groups.

As recently as last month, counterfeit installers for legitimate software have served as a distribution mechanism for the trojan by means of a DLL loader named PNGPlug.

It’s worth noting that a drive-by download scheme targeting Chinese-speaking Windows users was previously used to deploy Gh0st RAT using malicious installer packages for the Chrome web browser.

Fake Google Chrome Sites

In a similar fashion, the latest attack sequence associated with ValleyRAT entails the use of a fake Google Chrome website to trick targets into downloading a ZIP archive containing an executable (“Setup.exe”).

The binary, upon execution, checks if it has administrator privileges and then proceeds to download four additional payloads, including a legitimate executable associated with Douyin (“Douyin.exe”), the Chinese version of TikTok, that’s used to sideload a rogue DLL (“tier0.dll”), which then launches the ValleyRAT malware.

Also retrieved is another DLL file (“sscronet.dll”), which is responsible for terminating any running process present in an exclusion list.

Cybersecurity

Compiled in Chinese and written in C++, ValleyRAT is a trojan that’s designed to monitor screen content, log keystrokes, and establish persistence on the host. It’s also capable of initiating communications with a remote server to await further instructions that allow it to enumerate processes, as well as download and execute arbitrary DLLs and binaries, among others.

“For payload injection, the attacker abused legitimate signed executables that were vulnerable to DLL search order hijacking,” Uzan said.

The development comes as Sophos shared details of phishing attacks that employ Scalable Vector Graphics (SVG) attachments to evade detection and deliver an AutoIt-based keystroke logger malware like Nymeria or direct users to credential harvesting pages.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Appfire Recognizes Highest-Performing Partners in Annual Red Hot Partner Awards Program

Appfire Recognizes Highest-Performing Partners in Annual Red Hot Partner Awards Program

Recommended.

Microsoft Patches 126 Flaws Including Actively Exploited Windows CLFS Vulnerability

Microsoft Patches 126 Flaws Including Actively Exploited Windows CLFS Vulnerability

April 9, 2025
Airtel inaugure son centre de données pour l’Afrique de l’Est à Tatu City

Airtel inaugure son centre de données pour l’Afrique de l’Est à Tatu City

September 11, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio