Fake Huorong Antivirus Sites Deploy ValleyRAT Backdoor in Chinese APT Campaign
3 min. read 
Published on
Silver Fox APT group created huoronga[.]com mimicking popular Chinese antivirus Huorong Security. Visitors download BR火绒445[.]zip containing ValleyRAT built on Winos4.0 framework. Malware disables Windows Defender exclusions and persists via Batteries scheduled task.
Attackers registered multiple typosquatted domains including huorongcn[.]com, huorongh[.]com. Download button routes through hndqiuebgibuiwqdhr[.]cyou to Cloudflare R2 storage. Convincing fake site targets users seeking legitimate security software.
No zero-day exploit required for initial access. Social engineering relies on mistyped domains and search result clicks. Campaign linked to Chinese-speaking threat actors specializing in trojanized software.
ValleyRAT steals keystrokes, browser cookies, system information after installation. Modular design downloads additional modules on demand. Process injection maintains stealth while capturing sensitive credentials.
PowerShell command excludes AppData\Roaming\trvePath and WavesSvc64.exe from Defender scans. Batteries.job scheduled task triggers at boot connecting to 161.248.87[.]250:443. Self-deleting core files evade signature detection.
Encoded C2 yandibaiji0203[.]com stored in HKCU\SOFTWARE\IpDates_info registry. VM and debugger checks prevent analysis in sandboxes. Log file DisplaySessionContainers.log tracks operations.
Organizations face risks from users downloading from unverified antivirus sources. Enterprise networks vulnerable through traveling employees. Rapid domain proliferation requires updated blocklists.
Indicators of Compromise Table
| Type | Indicator |
|---|---|
| Fake Domain | huoronga[.]com |
| Fake Domain | huorongcn[.]com |
| Fake Domain | huorongh[.]com |
| C2 IP | 161.248.87[.]250:443 |
| Payload Host | pub-b7ce0512b9744e2db68f993e355a03f9.r2[.]dev |
| Persistence | C:\Windows\Tasks\Batteries.job |
| Directory | %APPDATA%\trvePath\ |
| Registry | HKCU\SOFTWARE\IpDates_info |
Key Hashes
- NSIS Installer: 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4
- WavesSvc64.exe: db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e
- DuiLib_u.dll: d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2
Defender exclusion hunting reveals compromised endpoints quickly. Scheduled task enumeration detects Batteries.job deployments.
Detection Rules
- Monitor Defender exclusion additions via PowerShell
- Block connections to 161.248.87[.]250 port 443
- Hunt %APPDATA%\trvePath\ directory creation
- Audit Batteries scheduled task deployments
- Flag WavesSvc64.exe process anomalies
- Block Huorong typosquatted domains
Chinese enterprises face highest exposure from legitimate software confusion. Supply chain risks extend to security products. Global firms restrict employee antivirus downloads.
FAQ
huoronga[.]com, huorongcn[.]com, huorongh[.]com, huorongpc[.]com.
BR火绒445[.]zip via Cloudflare R2 through redirect domain.
Batteries.job scheduled task and Defender exclusions.
161.248.87[.]250 TCP 443 with encoded yandibaiji0203[.]com.
Antivirus download searches and domain mistypes.
Malwarebytes research team analysis.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages