Qihoo 360: ValleyRAT Mimic as LINE Installer Attacking Users to Steal Login Details

Qihoo 360: ValleyRAT Mimic as LINE Installer Attacking Users to Steal Login Details

Sophisticated ValleyRAT Campaign Targets Chinese-Speaking Users via Fake LINE Installer

A newly uncovered malware campaign is distributing the ValleyRAT backdoor disguised as a legitimate installer for LINE, the popular messaging app. The attack primarily targets Chinese-speaking users, employing a deceptive executable to steal login credentials and establish long-term surveillance on compromised systems.

The malware uses a multi-stage infection chain to evade detection, beginning with a fake installer that disables Windows Defender via PowerShell commands, excluding entire drives from antivirus scans. It then deploys intel.dll, a malicious library that performs sandbox checks including file locking and mutex creation to verify the environment before unpacking the final payload.

Once active, ValleyRAT leverages the PoolParty Variant 7 injection technique, hiding malicious activity within trusted system processes like Explorer.exe and UserAccountBroker.exe. By abusing Windows I/O completion ports, the malware injects code into legitimate processes, enabling stealthy credential harvesting and persistent communication with command-and-control (C2) servers.

To maintain persistence, the malware registers scheduled tasks via Remote Procedure Call (RPC) and uses a fraudulent digital certificate issued to "Chengdu MODIFENGNIAO Network Technology Co., Ltd." though the signature is cryptographically invalid. It also terminates security software from vendors like Qihoo 360 to blind local defenses.

Discovered by Cybereason analysts, this campaign highlights the growing sophistication of process injection and evasion tactics, posing a significant risk to targeted users. The attack underscores the importance of verifying software sources and monitoring for suspicious process behavior, such as unexpected child processes spawned by Explorer.exe.

Source: https://cybersecuritynews.com/valleyrat-mimic-as-line-installer-attacking-users/

Qihoo 360 cybersecurity rating report: https://www.rankiteo.com/company/qihoo-360

"id": "QIH1770215688",
"linkid": "qihoo-360",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'location': 'Chinese-speaking regions',
                        'type': 'Individual users'}],
 'attack_vector': 'Fake software installer (LINE messaging app)',
 'data_breach': {'personally_identifiable_information': 'Potential',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Login credentials'},
 'description': 'A newly uncovered malware campaign is distributing the '
                'ValleyRAT backdoor disguised as a legitimate installer for '
                'LINE, the popular messaging app. The attack primarily targets '
                'Chinese-speaking users, employing a deceptive executable to '
                'steal login credentials and establish long-term surveillance '
                'on compromised systems. The malware uses a multi-stage '
                'infection chain to evade detection, beginning with a fake '
                'installer that disables Windows Defender via PowerShell '
                'commands, excluding entire drives from antivirus scans. It '
                'then deploys intel.dll, a malicious library that performs '
                'sandbox checks including file locking and mutex creation to '
                'verify the environment before unpacking the final payload. '
                'Once active, ValleyRAT leverages the PoolParty Variant 7 '
                'injection technique, hiding malicious activity within trusted '
                'system processes like Explorer.exe and UserAccountBroker.exe. '
                'By abusing Windows I/O completion ports, the malware injects '
                'code into legitimate processes, enabling stealthy credential '
                'harvesting and persistent communication with '
                'command-and-control (C2) servers. To maintain persistence, '
                'the malware registers scheduled tasks via Remote Procedure '
                'Call (RPC) and uses a fraudulent digital certificate issued '
                "to 'Chengdu MODIFENGNIAO Network Technology Co., Ltd.' though "
                'the signature is cryptographically invalid. It also '
                'terminates security software from vendors like Qihoo 360 to '
                'blind local defenses.',
 'impact': {'data_compromised': 'Login credentials',
            'identity_theft_risk': 'High',
            'operational_impact': 'Long-term surveillance, potential data '
                                  'exfiltration',
            'systems_affected': 'Compromised systems with ValleyRAT backdoor'},
 'initial_access_broker': {'backdoors_established': 'ValleyRAT backdoor',
                           'entry_point': 'Fake LINE installer'},
 'investigation_status': 'Discovered',
 'lessons_learned': 'Importance of verifying software sources and monitoring '
                    'for suspicious process behavior, such as unexpected child '
                    'processes spawned by Explorer.exe.',
 'motivation': 'Credential theft, surveillance',
 'post_incident_analysis': {'corrective_actions': 'Enhance verification of '
                                                  'software sources, implement '
                                                  'process monitoring, and '
                                                  'improve endpoint security '
                                                  'measures.',
                            'root_causes': 'Use of fake software installer, '
                                           'evasion techniques, and process '
                                           'injection'},
 'recommendations': 'Verify software sources, monitor for suspicious process '
                    'behavior, and enhance endpoint detection and response '
                    '(EDR) capabilities.',
 'references': [{'source': 'Cybereason'}],
 'response': {'third_party_assistance': 'Cybereason analysts'},
 'title': 'Sophisticated ValleyRAT Campaign Targets Chinese-Speaking Users via '
          'Fake LINE Installer',
 'type': 'Malware Campaign'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.