SOC Defenders
← Back to news

Fake Huorong security site infects users with ValleyRAT

Malwarebytes Labs23/02/2026, 12:18
Read full article →

Summary

AI-Generated

Key Points:

  • A fake Huorong Security site has been used to distribute ValleyRAT, a sophisticated Remote Access Trojan (RAT) attributed to the Silver Fox APT group, targeting users seeking antivirus solutions.
  • The attack leverages a typosquatted domain and a trojanized NSIS installer, resulting in unauthorized access and control over infected systems, with capabilities such as keylogging and process injection.
  • Recommended actions include verifying download sources, monitoring Windows Defender exclusions, auditing for persistence artifacts, blocking outbound connections to the C2 IP (161.248.87.250), and alerting on suspicious process executions.

Technical Details: The malware employs DLL sideloading techniques to execute malicious payloads while evading detection. It also uses PowerShell to modify Windows Defender settings for persistence and stealth.

MITRE ATT&CK Techniques:

  • T1189 - Drive-by Compromise (Initial Access)
  • T1059.001 - PowerShell (Execution)
  • T1053.005 - Scheduled Task (Persistence)
  • T1562.001 - Impair Defenses: Disable or Modify Tools (Defense Evasion)
  • T1574.002 - DLL Side-Loading (Defense Evasion)
  • T1027 - Obfuscated Files or Information (Defense Evasion)
  • T1218.011 - Rundll32 (Defense Evasion)
  • T1555 - Credentials from Password Stores (Credential Access)
  • T1082 - System Information Discovery (Discovery)
  • T1057 - Process Discovery (Discovery)
  • T1056.001 - Keylogging (Collection)
  • T1071 - Application Layer Protocol (Command and Control)
  • T1070.004 - Indicator Removal: File Deletion (Defense Evasion)

IOCs Mentioned:

  • Fake domains: huoronga[.]com, huorongcn[.]com
  • C2 IP: 161.248.87[.]250
  • File hashes: 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4, db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e, etc.
  • Scheduled task: Batteries at C:\Windows\Tasks\Batteries.job
  • Registry key: HKCU\SOFTWARE\IpDates_info

This summary provides actionable intelligence for SOC teams to mitigate risks associated with the ValleyRAT campaign effectively.

Join the discussion — sign up to comment, upvote, and save articles.

Discussion

or to comment
Loading...

Loading comments...

Join 5,000+ security professionals

Get access to curated threat intel, upvote articles, join discussions, and build your karma in the SOC community.