Imagine downloading a popular antivirus to protect your system, only to have it secretly install a Remote Access Trojan (RAT). In a recent targeted campaign, attackers cloned the Huorong Security antivirus website to deliver ValleyRAT, a powerful RAT built on the Winos4.0 framework.
For CISOs, SOC analysts, and IT managers, this incident highlights the dangers of typosquatting, supply chain deception, and targeted malware campaigns. In this post, we’ll break down the attack chain, the malware’s tactics, and actionable defenses for organizations.
What Is ValleyRAT and the Huorong Attack?
ValleyRAT is a modular Remote Access Trojan that enables attackers to:
- Capture keystrokes
- Read browser cookies
- Query system information
- Inject malicious code into other processes for stealth execution
The recent campaign leveraged a fake Huorong Security site—huoronga[.]com—a near-perfect clone of the legitimate huorong.cn. This typosquatting trick exploits users who mistype URLs or click phishing links.
Key insight: Targeting antivirus software increases the likelihood of users installing malicious software under the guise of protection.
How the Attack Works
Infection Chain
- User Interaction:
Visiting the fake site and clicking the download button routes the request through an intermediary domain before fetching the payload from Cloudflare R2 storage. - Malware Delivery:
The file, BR火绒445.zip, uses Huorong’s Chinese name to maintain legitimacy. Once extracted and executed, ValleyRAT installs stealthily. - Modular Payload:
ValleyRAT can download additional modules on demand, making infections hard to fully assess.
Persistence and Evasion
ValleyRAT employs multiple tactics to maintain presence and avoid detection:
- Windows Defender Evasion: Uses PowerShell to mark
%APPDATA%\trvePathandWavesSvc64.exeas trusted, preventing automatic scans. - Scheduled Task: Creates
C:\Windows\Tasks\Batteries.jobto run at every system boot. - Self-Modification: Deletes and rewrites core files to evade signature detection.
- Anti-Analysis: Detects debuggers and virtual machine environments before full deployment.
- C2 Communication: Connects to IP
161.248.87[.]250over TCP port 443, with configuration stored underHKCU\SOFTWARE\IpDates_info.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| Fake Domains | huoronga[.]com, huorongcn[.]com, huorongh[.]com, huorongpc[.]com, huorongs[.]com |
| Redirect Domain | hndqiuebgibuiwqdhr[.]cyou |
| Payload Host | pub-b7ce0512b9744e2db68f993e355a03f9.r2[.]dev |
| C2 IP | 161.248.87[.]250 (TCP 443) |
| Encoded C2 Domain | yandibaiji0203[.]com |
| SHA-256 | NSIS Installer: 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4 |
| SHA-256 | WavesSvc64.exe: db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e |
| Persistence Directory | %APPDATA%\trvePath\ |
| Scheduled Task | C:\Windows\Tasks\Batteries.job |
| Registry Keys | HKCU\SOFTWARE\IpDates_info, HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e |
| Log File | C:\ProgramData\DisplaySessionContainers.log |
Why This Attack Is Dangerous
- Targeted Supply Chain Attack: Uses typosquatting to trick legitimate users.
- No Exploit Required: Relies entirely on user trust and social engineering.
- Stealthy Persistence: Scheduled tasks, Defender bypass, and self-modifying files make it hard to detect.
- Data Theft & Remote Control: Modular RAT allows attackers to expand capabilities at will.
Best Practices to Mitigate ValleyRAT
Supply Chain and Software Security
- Validate URLs before downloading software, especially antivirus or utility programs.
- Avoid installing from search results; prefer official vendor sites.
- Regularly audit endpoints for unauthorized scheduled tasks or new directories.
Endpoint & Network Defense
- Block outbound connections to 161.248.87[.]250 and suspicious domains.
- Audit Defender exclusions for unauthorized entries.
- Monitor for unusual process injection or scheduled tasks like Batteries.job.
Detection & Threat Intelligence
- Use behavioral analytics to detect stealthy RAT activity.
- Map attacker techniques to MITRE ATT&CK for structured incident response.
- Implement continuous endpoint monitoring for modular malware behavior.
Expert Insights
- Risk Impact: ValleyRAT can exfiltrate sensitive data, control systems remotely, and bypass standard protections.
- Compliance Consideration: Organizations under PCI DSS, HIPAA, or ISO 27001 should ensure endpoint monitoring covers supply chain attacks.
- Prevention Strategy: Education on typosquatting and phishing is as important as technical controls for RAT defense.
FAQs
1. What is typosquatting in cybersecurity?
Typosquatting is registering domain names similar to legitimate sites to trick users into visiting malicious websites.
2. How does ValleyRAT maintain persistence?
It uses scheduled tasks, Windows Defender bypasses, and self-modifying files stored in %APPDATA%\trvePath.
3. Can ValleyRAT steal sensitive information?
Yes, it captures keystrokes, browser cookies, system info, and can execute remote commands.
4. How can organizations detect this RAT?
Monitor for suspicious scheduled tasks, unusual process injections, unauthorized Defender exclusions, and outbound connections to unknown IPs/domains.
5. What makes antivirus-targeted malware effective?
Users often trust security software, so disguising malware as an antivirus increases the likelihood of execution.
Conclusion
The ValleyRAT campaign demonstrates how attackers exploit typosquatting, social engineering, and supply chain weaknesses to deliver sophisticated RATs.
Organizations must combine technical controls, endpoint monitoring, and user awareness to mitigate these threats. Proactively auditing software sources, monitoring network traffic, and enforcing behavioral detection policies are critical to staying ahead of advanced attackers.
Next step: Review endpoint scheduled tasks, validate Defender exclusions, and ensure all downloads originate from verified sources.
