Cyberattacks targeting Chinese-speaking regions have been using the ValleyRAT malware, delivered through a multi-stage loader called PNGPlug. The infection starts with a phishing page leading to a malicious MSI package that deploys a benign application while extracting malware. The payload includes a rogue DLL and disguised PNG files, setting up persistence and executing ValleyRAT, a remote access trojan. Linked to the Silver Fox threat group, the attack uses legitimate software to conceal its malicious actions, making it highly sophisticated.

‍