A malware campaign where cybercriminals distribute a fake LINE messenger installer that secretly deploys the ValleyRAT malware to steal credentials and evade detection.
Since early 2025, threat actors have increasingly used fraudulent software installers to deliver malware.
This campaign shares techniques with previously discovered LetsVPN-themed attacks, including task-scheduler persistence, PowerShell-based evasion, and C2 communications via Hong Kong servers.
Cybereason GSOC performed a detailed analysis of malware repeatedly observed by that posed as the LINE installer, and found several previously unknown capabilities in related samples.
Recent incidents observed by the Cybereason Global SOC (GSOC) show that this fake LINE installer, built with the Nullsoft Scriptable Install System (NSIS), imitates legitimate installers to mislead users particularly Chinese-speaking targets.
Discovery and Behavior
The Cybereason team analyzed a sample (SHA1: b02a99344f2fa81636ad913f805b52051debe529) that pretends to be a LINE setup file. Once launched, it spawns three processes PowerShell, rundll32.exe executing intel.dll, and chrmstp.exe each performing system modifications and stealth operations.
PowerShell commands disable Windows Defender scanning on system drives, while intel.dll and chrmstp.exe execute encoded shellcode files (config.ini, config2.ini, Sangee.ini) that retrieve further payloads from remote C2 servers.
These payloads establish persistence and perform code injection into Windows Explorer (explorer.exe) and UserAccountBroker.exe using PoolParty Variant 7, a rarely seen injection method that manipulates I/O Completion Ports to run malicious code stealthily within legitimate processes.
Cybereason observed advanced anti-analysis tactics including sandbox detection using file-locking tests, watchdog features inside injected system processes, and digital certificate tampering to feign legitimacy.
The fake installer’s certificate claims to belong to “Chengdu MODIFENGNIAO Network Technology Co., Ltd.” but validation fails with a CRYPT_E_HASH_VALUE error, confirming signature tampering.
VirusTotal searches revealed multiple other NSIS-based samples using the same certificate to masquerade as installers for AnyDesk, ToDesk, Sogou, and similar Chinese applications.
Potential Payload: ValleyRAT
The C2 infrastructure used by this campaign connects to IPs 143.92.38[.]217 and 206.238.221[.]165, consistent with ValleyRAT (also known as Winos 4.0) activity previously linked to the Silver Fox APT group.
The malware writes shellcode into Explorer’s virtual memory using VirtualAllocEx() and WriteProcessMemory(), then sets the TP_DIRECT structure’s Callback field.
ValleyRAT is capable of credential theft, clipboard capture, and system reconnaissance. The new variant adds stealthier persistence through direct RPC-based Scheduled Task registration and PoolParty injection marking a significant upgrade over earlier versions analyzed by Rapid7.
Cybereason advises implementing the following security measures:
- Detection Rules: Flag creation of files under %AppData%TrustAsia, outbound connections from UserAccountBroker.exe when spawned by Explorer.exe, and binaries signed by invalid or unverifiable certificates.
- Certificate Validation: Block executables signed with the name Chengdu MODIFENGNIAO Network Technology Co., Ltd., as this entity no longer exists and its certificates are consistently abused.
- User Awareness: Warn users against downloading software from unverified links and instruct them to cancel installations showing “Unknown Publisher” in the UAC prompt.
This campaign demonstrates how threat actors weaponize installer trust mechanics to gain administrator privileges and deploy information-stealing malware.
By blending legitimate installation flows with sophisticated injection and evasion techniques, attackers can bypass standard endpoint defenses.
Cybereason GSOC continues tracking these evolving ValleyRAT variants and urges enterprises to validate all installer certificates, enforce signed-software execution policies, and monitor for suspicious process hierarchies indicative of installer-based threats.
IOCs
| IOC | IOC Type | Description |
|---|---|---|
| b02a99344f2fa81636ad913f805b52051debe529 | SHA-1 | LineInstaller.exe (Fake Installer) |
| b4feadbada51e68852a8a732f0e79ae725a755a4 | SHA-1 | intel.dll |
| 51330636e299128c026c77cbc77dc24f3db49336 | SHA-1 | Config2.ini |
| 9120e22231ea9f597d8bb62d46e4775bd3fe5ccb | SHA-1 | Config2.ini |
| fab0802c3978f096223ff3b29188c3617e3cfa62 | SHA-1 | chrmstp.exe |
| da64ac77059050fdf30143da3671d41fff872689 | SHA-1 | Sangee.ini |
| 8e7e3a910f06310ca9fe1d07fd1a4208eeb53a25 | SHA-1 | PolicyManagement.xml |
| 2fd374f17e059cb16e530c3b73b883d5c57ce0f0 | SHA-1 | updated.ps1 |
| 143.92.38[.]217:18852 | IP address : Port number | C&C server |
| 206.238.221[.]165:443 | IP address : Port number | C&C server |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.