• A convincing lookalike of the popular Huorong Security antivirus has been used to deliver ValleyRAT, a sophisticated Remote Access Trojan (RAT) built on the Winos4.0 framework, to users who believed they were improving their security. • The campaign, attributed to the Silver Fox APT group-a Chinese-speaking threat group known for distributing trojanized versions of popular Chinese software-uses a typosquatted domain to serve a trojanized NSIS installer that deploys a full-featured backdoor with advanced user-mode stealth and injection capabilities. • A fake site built to catch security-conscious users Huorong Security-known in Chinese as 火绒-is a free antivirus product developed by Beijing Huorong Network Technology Co., Ltd., and widely used across mainland China. • The attackers registered huoronga[.]com-note the extra “a” at the end-as a near-perfect imitation of the legitimate huorong.cn. • This typosquatting technique catches users who mistype the address or arrive via search engine poisoning or phishing links. • The fake site looks convincing enough that most visitors would have no obvious reason to suspect anything is wrong.

Article Summaries:

  • A Chinese‑speaking APT group, Silver Fox, has used a typosquatted domain (huoronga.com) to masquerade as the popular Huorong Security antivirus and deliver the ValleyRAT remote‑access trojan. The fake site hosts a trojanized NSIS installer that, when run, installs a desktop shortcut and drops a set of files into the user’s Temp folder. The payload employs DLL sideloading-WavesSvc64.exe loads a malicious DuiLib_u.dll, which decrypts and executes shellcode from box.ini in memory. The chain mirrors the Catena loader pattern, enabling a stealthy, in‑memory backdoor that bypasses typical security checks.
  • A convincing lookalike of the popular Huorong Security antivirus has been used to deliver ValleyRAT, a sophisticated Remote Access Trojan (RAT) built on the Winos4.0 framework, to users who believed they were improving their security. The campaign, attributed to the Silver Fox APT group-a Chinese-speaking threat group known for distributing trojanized versions of popular Chinese software-uses a typosquatted domain to serve a trojanized NSIS installer that deploys a full-featured backdoor with advanced user-mode stealth and injection capabilities. A fake site built to catch security-conscious u

Sources: