Chinese-speaking areas like Hong Kong, Taiwan, and Mainland China have been the target of numerous cyberattacks. The ValleyRAT payload is delivered by the attacks using a multi-stage loader known as PNGPlug. A phishing page intended to persuade victims to download a malicious Microsoft Installer (MSI) package masquerading as trustworthy software is the first link in the infection chain.

According to security researchers, the installer secretly extracts an encrypted archive that contains the malware payload while simultaneously deploying a benign application to avoid raising suspicions. They claim that the campaign is distinctive because it targets the Chinese-speaking population and uses software-related lures to start the attack chain. "Equally striking is the attackers' sophisticated use of legitimate software as a delivery mechanism for malware, seamlessly blending malicious activities with seemingly benign applications," stated security researcher Nicole Fishbein.

According to a technical report, "the PNGPlug loader's adaptability further elevates the threat, as its modular design allows it to be tailored for multiple campaigns."