Over the previous month, a focused marketing campaign dubbed Operation Silk Lure has surfaced, exploiting the Home windows Activity Scheduler to deploy a novel variant of ValleyRAT.
Rising in mid-2025, the operation hinges on spear-phishing emails that carry malicious LNK attachments masquerading as candidate resumes.
When victims open these attachments, a hidden PowerShell command initiates the obtain of a decoy doc and two executables: a loader (keytool.exe) and its side-loaded DLL (jli.dll).
Preliminary evaluation reveals that the phishing lure is crafted for Chinese language fintech and buying and selling corporations’ HR departments.
The malicious LNK file comprises an obfuscated PowerShell one-liner, which silently retrieves payloads from a command-and-control (C2) server hosted in the US.
As soon as executed, the dropper writes a VBScript named CreateHiddenTask.vbs into the consumer’s AppData folder, then runs it to determine persistence.
Seqrite researchers famous that this script programmatically registers a every day scheduled process named “Safety,” spoofing Microsoft Company because the writer, and instantly deletes itself to hinder detection.
Following the persistence step, the loader binary (keytool.exe) launches and makes use of DLL side-loading to execute jli.dll.
This DLL locates an 8-byte marker in its personal file, extracts the next encrypted payload, and performs RC4 decryption with a hard-coded key.
An infection chain (Supply – Seqrite)
The decrypted shellcode is injected straight into reminiscence, establishing contact with the C2 server at 206.119.175.16 and starting reconnaissance and exfiltration.
Seqrite researchers famous that when inside, ValleyRAT engages in intensive information harvesting and defense-evasion maneuvers.
It fingerprints the host—accumulating CPU particulars, display screen decision, and NIC data—whereas checking for virtualization or identified antivirus merchandise through WMI queries.
Detected safety companies, together with 360Safe and Kingsoft, have their community connections forcefully terminated. All actions are logged and transmitted covertly over HTTPS, elevating the chance of credential theft and company espionage.
An infection Mechanism and Persistence
A more in-depth take a look at the an infection chain uncovers the class of its persistence tactic. The VBScript used to register the scheduled process leverages COM interfaces to work together with the Activity Scheduler.
Beneath is the core snippet from CreateHiddenTask.vbs:-
Set service = CreateObject(“Schedule.Service”)
service. Join
Set rootFolder = service.GetFolder(“”)
Set taskDef = service.NewTask(0)
With taskDef.RegistrationInfo
.Creator = “Microsoft Company”
Finish With
With taskDef.Triggers.Create(1) ‘ DAILY set off
.StartBoundary = “2025-08-01T08:00:01”
.DaysInterval = 1
Finish With
With taskDef.Actions.Create(0) ‘ EXEC motion
.Path = ExpandEnvironmentStrings(“%APPDATApercentkeytool.exe”)
Finish With
rootFolder.RegisterTaskDefinition “Safety”, taskDef, 6, “”, “”, 3
Upon registration, the duty executes keytool.exe each morning at 8:00 AM. This mechanism ensures the loader runs constantly, even after system reboots.
By embedding writer metadata and deleting the script, the menace actors mix into regular system exercise, complicating forensic investigations.
The mixture of LNK-based preliminary compromise, VBScript persistence, and DLL side-loading makes Operation Silk Lure a classy menace demanding up to date searching signatures and vigilant monitoring of scheduled duties.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
