Over the past month, a targeted campaign dubbed Operation Silk Lure has surfaced, exploiting the Windows Task Scheduler to deploy a novel variant of ValleyRAT.
Emerging in mid-2025, the operation hinges on spear-phishing emails that carry malicious LNK attachments masquerading as candidate resumes.
When victims open these attachments, a hidden PowerShell command initiates the download of a decoy document and two executables: a loader (keytool.exe) and its side-loaded DLL (jli.dll).
Initial analysis reveals that the phishing lure is crafted for Chinese fintech and trading firms’ HR departments.
The malicious LNK file contains an obfuscated PowerShell one-liner, which silently retrieves payloads from a command-and-control (C2) server hosted in the United States.
Once executed, the dropper writes a VBScript named CreateHiddenTask.vbs into the user’s AppData folder, then runs it to establish persistence.
Seqrite researchers noted that this script programmatically registers a daily scheduled task named “Security,” spoofing Microsoft Corporation as the author, and immediately deletes itself to hinder detection.
Following the persistence step, the loader binary (keytool.exe) launches and uses DLL side-loading to execute jli.dll.
This DLL locates an 8-byte marker in its own file, extracts the subsequent encrypted payload, and performs RC4 decryption with a hard-coded key.
.webp "Operation Silk Lure Weaponizing Windows Scheduled Tasks to Drop ValleyRAT 3")
The decrypted shellcode is injected directly into memory, establishing contact with the C2 server at 206.119.175.16 and beginning reconnaissance and exfiltration.
Seqrite researchers noted that once inside, ValleyRAT engages in extensive data harvesting and defense-evasion maneuvers.
It fingerprints the host—collecting CPU details, screen resolution, and NIC information—while checking for virtualization or known antivirus products via WMI queries.
Detected security services, including 360Safe and Kingsoft, have their network connections forcefully terminated. All activities are logged and transmitted covertly over HTTPS, raising the risk of credential theft and corporate espionage.
Infection Mechanism and Persistence
A closer look at the infection chain uncovers the elegance of its persistence tactic. The VBScript used to register the scheduled task leverages COM interfaces to interact with the Task Scheduler.
Below is the core snippet from CreateHiddenTask.vbs:-
Set service = CreateObject("Schedule.Service")
service. Connect
Set rootFolder = service.GetFolder("")
Set taskDef = service.NewTask(0)
With taskDef.RegistrationInfo
.Author = "Microsoft Corporation"
End With
With taskDef.Triggers.Create(1) ' DAILY trigger
.StartBoundary = "2025-08-01T08:00:01"
.DaysInterval = 1
End With
With taskDef.Actions.Create(0) ' EXEC action
.Path = ExpandEnvironmentStrings("%APPDATA%keytool.exe")
End With
rootFolder.RegisterTaskDefinition "Security", taskDef, 6, "", "", 3Upon registration, the task executes keytool.exe every morning at 8:00 AM. This mechanism ensures the loader runs consistently, even after system reboots.
By embedding author metadata and deleting the script, the threat actors blend into normal system activity, complicating forensic investigations.
The combination of LNK-based initial compromise, VBScript persistence, and DLL side-loading makes Operation Silk Lure a sophisticated threat demanding updated hunting signatures and vigilant monitoring of scheduled tasks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
