Sophisticated Malware Campaign Deploys ValleyRat via Trojanized Installers

Researchers have uncovered a sophisticated malware campaign where threat actors weaponize trojanized installers for popular productivity applications to deploy ValleyRat, a persistent remote access tool. The operation demonstrates advanced evasion techniques, including kernel-level driver abuse, endpoint security tampering, and multi-stage obfuscation designed to evade detection and establish long-term system compromise. The campaign has been attributed to an advanced persistent threat (APT) group active since at least 2022. The threat actors repurpose legitimate installer files for Telegram, WinSCP, Google Chrome, and Microsoft Teams applications that users regularly download and trust. Upon execution, victims observe a standard installation interface while malware silently stages payloads, deploys kernel drivers, turns off security defenses, and launches a ValleyRat beacon that grants adversaries persistent remote access.

Latest mentioned: 12-02

Earliest mentioned: 11-28

Sources

gbhackers.com nextron-systems.com

Also Read

APT36 Targets BOSS Linux with Sophisticated Malware

APT36, a cyberespionage group, has escalated its campaign against government institutions with sophisticated Python-based ELF malware targeting Linux-based BOSS operating environments. The campaign uses spear-phishing emails with weaponized Linux shortcut files masquerading as legitimate documents. The malware establishes persistence through systemd user services and registry modifications, ensuring survival across reboots. It performs comprehensive system reconnaissance and supports a complete command set for data exfiltration and remote control.

12-01Read more →