A typosquatted copy of the popular Huorong Security antivirus site is being used to deliver ValleyRAT, a modular remote access trojan (RAT) built on the Winos4.0 framework, to users who believe they are downloading legitimate protection software.
The attackers registered huoronga[.]com adding a single “a” to the legitimate huorong.cn domain as part of a typosquatting strategy designed to catch victims who mistype the URL or arrive via poisoned search results and malicious links.
The fake site closely mirrors the original branding and layout, leaving most visitors with little reason to suspect manipulation.
When a user clicks the download button, the request is silently relayed through an intermediary domain (hndqiuebgibuiwqdhr[.]cyou) before the malicious payload is retrieved from Cloudflare R2 storage, leveraging a trusted cloud platform to blend into normal network traffic.
The operation attributed to the Chinese-speaking Silver Fox advanced persistent threat (APT) group, abuses a realistic clone of the Huorong ecosystem to deploy a stealthy backdoor with extensive surveillance and remote-control capabilities.
The downloaded archive, BR火绒445[.]zip, even incorporates Huorong’s Chinese name (火绒) to preserve the illusion up to execution.
Fake Huorong Download Site
Inside the ZIP, victims receive a trojanized NSIS (Nullsoft Scriptable Install System) installer normally a legitimate, widely used installer framework chosen specifically because it mimics the behavior of real Windows software and raises fewer suspicions.
Once launched, it creates a desktop shortcut named 火绒.lnk to simulate a successful antivirus installation while quietly unpacking a mix of decoy and malicious files into the user’s Temp directory.
Benign-looking components include FFmpeg DLLs and tools masquerading as .NET repair and Huorong diagnostic utilities, deployed to reinforce the appearance of a normal installer footprint.
The real payload revolves around three critical elements: WavesSvc64.exe as the main loader, DuiLib_u.dll as a hijacked library for DLL sideloading, and box.ini as an encrypted container for shellcode.
The infection chain hinges on DLL sideloading, abusing Windows’ library loading behavior to execute malicious code under the guise of a trusted binary. WavesSvc64.exe poses as an audio service process, complete with a plausible PDB path referencing gaming-related development, so Windows executes it without complaint.
During startup, Windows automatically loads DuiLib_u.dll from the same directory; in this campaign, that library is replaced with a weaponized version that reads encrypted shellcode from box.ini, decrypts it, and executes it directly in memory.
This approach matches the Catena-style loader pattern previously described in other campaigns, where seemingly legitimate executables carry attack code inside configuration files and execute it reflectively, minimizing traditional file-based forensic traces.
To maintain persistence and degrade detection, the malware first issues high-integrity PowerShell commands to add Windows Defender exclusions for its working directory (%APPDATA%trvePath) and loader process (WavesSvc64.exe), significantly reducing native security scanning of its assets.
It then creates a scheduled task named “Batteries,” stored as C:WindowsTasksBatteries.job, which executes WavesSvc64.exe /run at startup to reapply exclusions and reconnect to command-and-control (C2).
ValleyRAT Backdoor Deployed via Malware
The campaign also periodically deletes and rewrites key files including WavesSvc64.exe, DuiLib_u.dll, libexpat.dll, box.ini, and vcruntime140.dll to evade simple hash-based detection, meaning file deletion alone is unlikely to remediate an infected system fully.
Configuration data, such as the encoded domain yandibaiji0203[.]com, is stored under HKCUSOFTWAREIpDates_info, with an additional HKCUConsole�451b464b7a6c2ced348c1866b59c362e value holding encrypted binary configuration or staging data.
On the network side, the Winos4.0 stage contacts its C2 server at 161.248.87.250 over TCP port 443, using a custom binary protocol instead of standard HTTPS to blend into encrypted traffic patterns while avoiding TLS inspection.
Intrusion detection systems reported critical alerts for Winos4.0 C2 login and server-response messages, and high-severity alerts tied to the ProcessKiller module’s initialization, which is associated with terminating security tools.
Analysts observed C2 communications originating from rundll32.exe launched with only “rundll32.exe” as its command-line, missing the normal
Sandbox analysis further recovered multiple WinosStager plugin DLLs loaded within the rundll32 process, highlighting ValleyRAT’s modular design: instead of a single monolithic payload, functionality is delivered as on-demand plugins tailored to each operation.
Once established, ValleyRAT enables extensive post-compromise activity, including keylogging via a global keyboard hook injected into rundll32, process injection from WavesSvc64.exe into other processes, credential-related registry and browser cookie access, and system reconnaissance covering hostnames, users, locales, and attached drives.
It allocates read-write-execute (RWX) memory regions inside rundll32.exe for in-memory execution and cleans up its own artifacts by deleting executed files and numerous additional items to frustrate forensic recovery.
Investigators also noted mutexes containing the timestamp “2026. 2. 5” and references to C:ProgramDataDisplaySessionContainers.log, where the malware maintains its own log file.
Attribution points strongly to Silver Fox APT group that has repeatedly distributed ValleyRAT/Winos4.0 using trojanized installers for Chinese-focused software such as QQ Browser, LetsVPN, and various gaming and productivity tools.
The Huorong lure continues that pattern, with Chinese-language filenames, locale checks, and security-focused branding aimed at Chinese-speaking users, including those looking for antivirus solutions.
However, the public leak of the ValleyRAT builder on GitHub in March 2025 has transformed the threat landscape: researchers documented about 6,000 ValleyRAT-related samples between November 2024 and November 2025, with roughly 85% appearing in the final six months of that period, indicating wider adoption beyond a single operator.
Defenders are urged to verify that Huorong downloads come only from huorong.cn, monitor for unauthorized Add-MpPreference Defender exclusion commands, and hunt for the Batteries scheduled task, %APPDATA%trvePath directory, and IpDates_info registry key across endpoints.
Blocking outbound connections to 161.248.87.250, enabling IDS signatures for Winos4.0 traffic (including Emerging Threats SIDs 2052875, 2059975, and 2052262), and alerting on anomalous rundll32 usage and unexpected WavesSvc64.exe executions can significantly improve detection coverage.
Security vendors, including Malwarebytes, currently flag and block known ValleyRAT variants and related infrastructure, but the rapid proliferation driven by the leaked builder means organizations should treat this campaign as an evolving, high-priority threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
