A phony LINE installer that propagates the ValleyRAT malware, which uses sophisticated evasion techniques to target users who speak Chinese This article explores propagates valleyrat malware. . It was first discovered in early 2025 and imitates well-known apps like VPN services and LINE.

In order to steal credentials and remain persistent, the malware downloads ValleyRAT, which is associated with the Silver Fox APT group. New features, including the uncommon PoolParty Variant 7 code injection, were discovered by Cybereason. A tampered EV code-signing certificate issued to "Chengdu MODIFENGNIAO Network Technology Co., Ltd." is used by the phony installer, which was created using NSIS. It is a warning sign for tampering since it fails validation.

It deceives users into elevating privileges by triggering a UAC prompt with a phony Chinese GUI when it is executed. New Capabilities and Attack Flow Three child processes are launched during execution: chrmstp.exe, rundll32.exe (which loads intel.dll), and PowerShell.

PowerShell uses obfuscated commands such as power""shell.exe -Executio""nPolicy Byp""ass -Command Add-MpPre""ference -Exclus""ionPath C:\. Attack Flow (Source: cybereason) to exclude drives C-F from Windows Defender scans. Important files fall into %AppData%\TrustAsia (intel.dll, config.ini, config2.ini) and %LOCALAPPDATA% (chrmstp.exe, Sangee.ini, and a 59MB dummy Yuteab.db).

Intel.dll loads shellcode from.ini files, checks for Temp.aps, and serves as a watchdog using the mutex "9F23-25AB-057C-5C1D65." Config.ini creates four threads: More Defender exclusions in Thread 1. Thread 2: Persistence through incompletion RPC to ITaskSchedulerService (GUID: 86D35949-83C9-4044-B424-DB363231FD0C) or PowerShell Scheduled Tasks (updated.ps1, PolicyManagement.xml). Upon logon, tasks aim to target intel.dll.

Thread 3: If Telegram or WhatsApp is running, Watchdog restarts intel.dll. Thread 4: Uses PoolParty Variant 7 to inject into Explorer.exe, copying IoCompletionPort handles using ZwDuplicateObject/ZwQueryObject, followed by ZwSetIoCompletion using TP_DIRECT shellcode.

Based on Telegram presence, the infected code in Explorer looks for regsvr32.exe/UserAccountBroker.exe before injecting config.ini/config2.ini into UserAccountBroker (which spawns as an Explorer child). As a covert watchdog, it repeats every five seconds. Chrmstp.exe (Chrome-mimicking) loads Sangee.ini as a result of the sysinternal tool sigcheck.exe's execution (Source: cybereason), which replicates this: Using GetTcpTable2/SetTcpEntry (state 12: DELETE_TCB), 360 Total Security processes (360tray.exe, etc.)

experience TCP disruption in addition to PoolParty injection into Explorer and UserAccountBroker spawn. C2 servers: 206.238.221[. ]165:443 and 143.92.38[.]217:18852. Payloads for credential harvesting are probably ValleyRAT.

Fake Installer's GUI (Source: cybereason) Anti-analysis excels: Intel.dll uses LockFileEx failures to identify sandboxes, and NSIS is resistant to 7-Zip unpacking (unlike earlier LetsVPN samples from Rapid7).

Threat Analysis and Protection Cybereason claims that this expands upon Rapid7's Winos 4.0 analysis steepened evasion via injection over batch watchdogs, RPC persistence, and 360 disruption. 19 VirusThe certificate thumbprint (394DCBC2C7E0750B3899F4610CAA0A3964DBAA04), 13 NSIS fakes for ToDesk/AnyDesk/Sogou links to SADBRIDGE via PoolParty, 360 checks, and phony installers are shared by all samples. x64dbg windows while NdrClientCall2 is running (Source: cybereason) UserAccountBroker.exe (parent: Explorer.exe) with external connections is a detection rule.

"Chengdu MODIFENGNIAO Network Technology Co., Ltd." is an invalid certificate. %AppData%\TrustAsia\intel.dll/config.ini/config is the file that is created.2.ini. Reductions: Download only from websites that are authorized. Use EDR to enforce trusted certs and block invalid or unknown cert UACs.

Make sure the vendor and the certificate match (e.g., LY Corp for LINE). Keep an eye on PoolParty IOCs, Defender exclusions, and NSIS installers.

IOC Type Description: b02a99344f2fa81636ad913f805b52051debe529 SHA-1 Fake LineInstaller.exe b4feadbada51e68852a8a732f0e79ae725a755a4 SHA-1 intel.dll 51330636e299128c026c77cbc77dc24f3db49336 SHA-1 config.ini 9120e22231ea9f597d8bb62d46e4775bd3fe5ccb SHA-1 config2.ini fab0802c3978f096223ff3b29188c3617e3cfa62 SHA-1 chrmstp.exe da64ac77059050fdf30143da3671d41fff872689 SHA-1 143.92.38 Sangee.ini[. ]217:18852 IP:Port C2 206.238.221[. ]165:443