{ "id": "d2bc431d-4961-4e0b-bf29-0f0a96a40a95", "created_at": "2026-04-06T01:31:47.164102Z", "updated_at": "2026-04-10T13:12:57.994246Z", "deleted_at": null, "sha1_hash": "c9894d7590a9bd72e74224451158cf0b40430e50", "title": "Chrome Installer Impersonation Campaign Targets China-Based Victims with ValleyRAT Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2419804, "plain_text": "Chrome Installer Impersonation Campaign Targets China-Based\r\nVictims with ValleyRAT Trojan\r\nBy Rahul Ramesh\r\nPublished: 2025-10-21 · Archived: 2026-04-06 01:09:34 UTC\r\nSummary\r\nHowler Cell identified a new 32-bit malicious installer disguised as a Google Chrome installer, which kickstarts\r\na multi-stage delivery chain, ultimately deploying the ValleyRAT remote access trojan.\r\nThe Howler Cell team identified Chinese language strings within the binary, including the internal DLL name,\r\nindicating that the installer is Chinese in origin.\r\nThe installer covers its activity by delivering a legitimate version of Chrome in the foreground to allay\r\nsuspicion.\r\nThe targeted security solutions are known products from Chinese vendors, indicating that the campaign is\r\ntargeting entities within China. Groups such as TA428 have a history of deploying ValleyRAT, and have a strong\r\nfocus on the Government, Technology, Defense, and Critical Infrastructure industries in China.\r\nAlong with allowing a threat actor remote access, ValleyRAT’s capabilities include remote command execution,\r\nfile upload/download, and persistence mechanisms. While the ultimate objective of the campaign is unknown,\r\nthere are clear opportunities for cyber espionage\r\nTechnical Analysis \r\nSHA256: a237f31b2d655dc2dd473db49a6bc599d8ddd39c084b6b28e2af011907080b07\r\nAttack Chain\r\nFigure 1 Attack Chain of ValleyRAT\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 1 of 15\n\nWe identified that the Chrome installer was created using InnoSetup and extracted the associated files, including the\r\nInnoSetup script (ISS) and the compiled Pascal code.\r\nFigure 2 Directory structure within Chrome Setup Installer\r\nWhen executed, the installer drops four files to disk. These include a legitimately signed Google Chrome installer and\r\nseveral archived and encrypted components used to carry out malicious activity in the background. An overview of\r\ndropped files is provided in Table 1.\r\nTable 1 Overview of dropped files\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 2 of 15\n\nFilename Sha256 Description\r\nSetup.exe 9a59260ff9b1ac88a5c75ed77524b4dbdf24bff78ea512a7c81d39e8b694ab51\r\nLegitimate Google\r\nChrome Setup\r\nMain.xml 74dae91cbf43e27911c32efc6b757b54c0c06cec2e254f86d336be006dc156f7\r\nPassword-protected\r\n7-Zip archive\r\nServer.log af053928eaeeede43bc4dfe1d47c76b1079885b4d484106f995411ed18585dea\r\nRC4-encrypted PE\r\nfile\r\nUnzip.exe a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326\r\nLegitimate 7-Zip\r\nstandalone extractor\r\nInnoSetup allows authors to customize setup behavior using Pascal scripting. In this case, the embedded compiled\r\nPascal code was extracted and decompiled. During execution, the script uses the PowerShell Add-MpPreference cmdlet\r\nto create a Microsoft Defender exclusion for the target folder where additional malicious files are staged.\r\nStaging Folder - C:\\Users\\Public\\Documents\\WindowsData\\\r\nThe script has the password embedded within it to un-archive the password-protected archive (Main.xml) and extracts\r\nthe files to the target folder.\r\nFigure 3 Hardcoded password highlighted within the script\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 3 of 15\n\nMan.exe\r\nDuring the unarchiving process, a 32-bit C++ compiled executable named man.exe is dropped and executed to continue\r\nthe malicious attack chain.\r\nSHA-256: 153b27fba518f9d21ef487befdb0f05286a851661c2a41b1ca044abb60f3afe0\r\nOn execution, Man.exe begins by creating a vector list of installed security products. This list is later used to remove\r\ntheir driver callbacks using a kernel driver, helping the malware evade detection and maintain persistence.\r\nFigure 4 Vector initialization for targeted security processes\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 4 of 15\n\nAfter creating the vector list, the executable drops a password-protected archive embedded within itself into the staging\r\nfolder with the filename tree.exe. It then extracts the contents using the Chromium unzip library with the password\r\nServer8888. The files listed in Table 2 were dropped as a result of extraction.\r\nTable 2 Overview of Extracted Files\r\nFilename Sha256 Description\r\nKail.exe 72c33f24fb5853d2ef70adece5c7cacedd8e568a9025f7a82fd5ef5c2f9967c5\r\nLegitimate 7-Zip\r\nstandalone\r\nextractor\r\nBypass.exe 26612a0fc6ea86c665ae05391e0e4c1db8671b49ccb2eb684dc1983bda07a068\r\nActs as a loader\r\nfor Nvidia.exe\r\nNvidia.exe 18ddb4a5600514dee770a6a3d5556442a51fc0bdf41d8ce397e0a22fde6da0a5\r\nExecutes AV\r\nTerminator\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 5 of 15\n\nFilename Sha256 Description\r\nWindows.log 76af9143af06d8f6913f9e5f3d0dfeb92077a0a7a3cff324a7e7016f489e2c56\r\nRC4-encrypted\r\nPE file\r\nMe.key 38c2b968f93a39ef51d2660d9736814aca3acead017746f51ae778de8fe7d825\r\nPassword-protected 7-Zip\r\narchive\r\nAfter extracting additional components, man.exe launches bypass.exe using the WdcRunTaskAsInteractiveUser\r\nmethod. This API is resolved dynamically at runtime using GetProcAddress, as shown in Figure 5.\r\nFigure 5 Invoking bypass.exe via WdcRunTaskAsInteractiveUser\r\nBypass.exe\r\nBypass.exe is responsible for invoking NVIDIA.exe with elevated privileges by abusing the CMSTP COM interface.\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 6 of 15\n\nFigure 6 Bypass.exe invokes Nvidia.exe via UAC bypass\r\nNvidia.exe\r\nThe purpose of this executable is to read an encrypted file named Windows.log and decrypt it using a custom RC4 key:\r\n??Bid@locale@std. After decryption, a DLL (original name: R0Kill.dll) is loaded into memory. The executable then\r\ninvokes its exported function named NtHandleCallback.\r\nFigure 7 Decryption of Windows.log\r\nWhen invoked, the export function attempts to get a handle to NSecKrnl64.sys if it exists. It then tries to terminate the\r\nsecurity solution processes, whose names are hardcoded as strings within the unpacked executable, as shown in Figure\r\n8.\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 7 of 15\n\nFigure 8 Terminating Security solutions using NSecKrnl64.sys\r\nWhile Nvidia.exe is running with elevated privileges, man.exe continues its execution and extracts another password-protected archive Me.key using the password ‘killstartup’. The following files are dropped into the staging folder as a\r\nresult of this extraction. The overview of extracted files is shown in Table 3.\r\nTable 3 Overview of Extracted Files\r\nFilename Sha256 Description\r\nNtHandleCallback.exe c027cf868757babab33686bf4c41192339e04fa89ad868409a5cd4ed90a1f71e\r\nLegitimate\r\nsigned file\r\nabused for\r\nsideloading\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 8 of 15\n\nFilename Sha256 Description\r\nLog.dll adc7c80f1a6f94d9ad18f880714fb0491c65f795f4affe7b670f4c64b0ddc9cb\r\nMalicious\r\nDLL\r\nexecuted\r\nvia DLL -\r\nSideloading\r\nMain.exe fb249bff9449bbd715d936e6bce4ce2354434dc9eb305e352ffadbc82562252f BlindEDR\r\nRwdriver.sys 1c763af41b74c7502d70093763723939a8025199e0ac7e39c04b5cf992f9e273\r\nDriver\r\nabused by\r\nBlindEDR\r\nRwdriver.cat e90b505e3b31e15e608f2f9fb1c0fabdff29b91988eb6a61a73556e05e182d4c Catalog file\r\nNtHandleCallback.exe: Log.dll - Valley RAT Downloader\r\nNtHandleCallback.exe, a legitimately signed binary by Hangzhou Shunwang Technology Co.,Ltd., is executed\r\nfollowing the extraction. It is abused to sideload the malicious DLL named Log.dll.\r\nWhen loaded, the log.dll functions as a loader for Valley RAT Downloader. It reads the RC4-encrypted file Server.log\r\nfrom the staging folder and decrypts it in memory using the same RC4 key (??Bid@locale@std) as used by\r\nNvidia.exe.\r\nFigure 9 RC4 decryption reproduced in CyberChef\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 9 of 15\n\nThe DLL then traverses the export directory of the decrypted DLL (original name: 上线模块.dll, translated as Online\r\nmodule.dll) and invokes its exported function NtHandleCallback. This function is responsible for downloading the final\r\npayload from the embedded C2 server and executing it. The configuration extracted from the binary is shown in Figure\r\n10.\r\nFigure 10 Downloader Configuration\r\nC2: 202[.]95[.]11[.]152\r\nPort: 8880\r\nGeneration Date: 2025/07/03\r\nOnce a successful connection is established to the C2 server, the payload is downloaded and stored in the registry under\r\nthe key d33f351a4aeea5e608853d1a56661059. The content is then read from the registry and injected into a newly\r\nspawned tracerpt.exe process via the Thread Execution Hijacking technique, as illustrated in Figure 11.\r\nFigure 11 Thread Injection into tracerpt.exe\r\nBased on prior analysis of WinOS 4.0 and known ValleyRAT samples, we have determined that the final downloaded\r\npayload is ValleyRAT.\r\nKernel Driver Load – Rwdriver.sys\r\nMan.exe continues execution by registering a driver as a service using the sc command-line utility, then starts the\r\nservice.\r\nFigure 12 Kernel driver registered as a service\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 10 of 15\n\nMain.exe\r\nTo advance the attack chain, man.exe runs main.exe with the arguments “Blind mode” and “Restore mode”, each\r\ninvoked individually using WinExec.\r\nMain.exe is a compiled version of the open-source project called BlindEDR. We also found references to this project\r\nand the POC to abuse them in a Chinese forum.\r\nBased on the information available, we attribute main.exe as a slightly modified version of BlindEDR tool. It is used to\r\nclear kernel callbacks registered by the list of monitored security solutions using the registered driver rwdriver.sys,\r\nwhich is shown in Figure 13.\r\n Figure 13 BlindEDR command line options \r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 11 of 15\n\nList of targeted security solutions\r\nZhuDongFangYu.exe\r\n360tray.exe\r\nkscan.exe\r\nkewsprotect64.exe\r\nkxescore.exe\r\nkxetray.exe\r\nHipsMain.exe\r\nHipsTray.exe\r\nHipsDaemon.exe\r\nGMDL.exe\r\nQMPersonalCenter.exe\r\nQQPCPatch.exe\r\nQQPCRealTimeSpeedup.exe\r\nQQPCRTP.exe\r\nQQPCTray.exe\r\nQQRepair.exe\r\n360sd.exe\r\n360rp.exe\r\n360Tray.exe\r\n360Safe.exe\r\nClearing Traces\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 12 of 15\n\nAfter completing the attack chain, man.exe creates a batch file named delete_self.bat to remove all files it had dropped\r\nduring execution.\r\nFigure 14 Clearing traces using delete_self.bat\r\nMitigation\r\nThese are general steps that apply broadly to mitigate ValleyRAT.\r\nIsolate devices that are impacted by the risk and follow the organization's incident response guidelines.\r\nPrioritize mitigation of the highest risk assets first.\r\nKeep OS, applications, and drivers patched.\r\nRemove unused software, disable non-approved services like PSEXECSVC.\r\nAppLocker mitigation could be enforced, use application whitelisting so only approved binaries run.\r\nRestrict administrative privileges on the user accounts.\r\nRequire MFA on all remote login paths (RDP, SSH, VPN).\r\nDeploy EDR agents with the capability to detect common RAT behaviors (injection, persistence, memory\r\nanomalies).\r\nTrain users to recognize phishing, malicious attachments, and links.\r\nConclusion\r\nOur analysis revealed Chinese language strings within the binary, including the internal DLL name, and identified that\r\nthe targeted security solutions are products from Chinese vendors. This indicates the attackers have knowledge of the\r\nregional software environment and suggests the campaign is tailored to target victims in China. The use of localized\r\nartifacts, combined with selective targeting, points to a focused effort against systems in Chinese-speaking regions.\r\nAppendix\r\nMITRE Coverage\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 13 of 15\n\nExecution:\r\nT1047 - Windows Management Instrumentation\r\nT1106 - Native API\r\nT1059 - Command and Scripting Interpreter\r\nT1053 - Scheduled Task/Job\r\n002 - User Execution: Malicious FIle\r\nPersistence:\r\n002 - DLL Side-Loading\r\nDefense Evasion:\r\nT1078 - Valid Accounts\r\nT1134 - Access Token Manipulation\r\nT1055 - Process Injection\r\nT1140 - Deobfuscate/Decode Files or Information\r\nT1027 - Obfuscated Files or Information\r\n002 - Software Packing\r\nT1036 - Masquerading\r\nT1497 - Virtualization/Sandbox Evasion\r\nDiscovery:\r\nT1012 – Query Registry\r\nT1124 - System Time Discovery\r\nT1087 - Account Discovery\r\nT1083 - File and Directory Discovery\r\nT1082 - System Information Discovery\r\n001 - Security Software Discovery\r\nT1057 - Process Discovery\r\nT1010 - Application Window Discovery\r\nT1033 - System Owner/User Discovery\r\nT1614 – System Location Discovery\r\nCollection:\r\nT1056 - Input Capture\r\nT1560 - Archive Collected Data\r\nCommand and Control:\r\nT1105 – Ingress Tool Transfer\r\nIOC’s\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 14 of 15\n\nFilename Sha256\r\nLog.dll adc7c80f1a6f94d9ad18f880714fb0491c65f795f4affe7b670f4c64b0ddc9cb\r\nMain.exe fb249bff9449bbd715d936e6bce4ce2354434dc9eb305e352ffadbc82562252f\r\nRwdriver.sys 1c763af41b74c7502d70093763723939a8025199e0ac7e39c04b5cf992f9e273\r\nRwdriver.cat e90b505e3b31e15e608f2f9fb1c0fabdff29b91988eb6a61a73556e05e182d4c\r\nBypass.exe 26612a0fc6ea86c665ae05391e0e4c1db8671b49ccb2eb684dc1983bda07a068\r\nNvidia.exe 18ddb4a5600514dee770a6a3d5556442a51fc0bdf41d8ce397e0a22fde6da0a5\r\nWindows.log 76af9143af06d8f6913f9e5f3d0dfeb92077a0a7a3cff324a7e7016f489e2c56\r\nMe.key 38c2b968f93a39ef51d2660d9736814aca3acead017746f51ae778de8fe7d825\r\nMain.xml 74dae91cbf43e27911c32efc6b757b54c0c06cec2e254f86d336be006dc156f7\r\nServer.log af053928eaeeede43bc4dfe1d47c76b1079885b4d484106f995411ed18585dea\r\nC2\r\n202[.]95[.]11[.]152:8880\r\nBack to Top\r\nSource: https://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nhttps://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cyderes.com/howler-cell/chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan" ], "report_names": [ "chrome-installer-impersonation-campaign-targets-china-based-victims-with-valleyrat-trojan" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439107, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9894d7590a9bd72e74224451158cf0b40430e50.pdf", "text": "https://archive.orkl.eu/c9894d7590a9bd72e74224451158cf0b40430e50.txt", "img": "https://archive.orkl.eu/c9894d7590a9bd72e74224451158cf0b40430e50.jpg" } }