Hackers Exploit Windows Scheduler in ‘Silk Lure’ Attack to Spread ValleyRAT

Seqrite Labs has uncovered a sophisticated cyber-espionage operation that leverages a deceptive job application campaign to compromise Chinese organizations.

The campaign dubbed Operation Silk Lure uses spear-phishing emails and Windows Task Scheduler abuse to deploy the ValleyRAT malware across targeted systems.

Spear‑Phishing with a China-Focused Decoy

The attack begins with phishing emails that convincingly impersonate job seekers applying for technical roles in FinTech, cryptocurrency exchanges, and trading platforms.

Each message includes a malicious .LNK file masquerading as a résumé attachment, for instance, a document named after “李汉兵 (Li Hanbing),” a senior blockchain engineer from Guangdong.

The CV is written entirely in Simplified Chinese, lists authentic local companies and universities, and even references the popular Chinese recruitment site 拉勾网 (Lagou), increasing its credibility with HR departments.

When executed, the .LNK file silently launches a PowerShell script that downloads additional payloads from the domain pan.tenire.com, hosted on infrastructure operated by SonderCloud Limited in Hong Kong.

The downloaded files include keytool.exe, CreateHiddenTask.vbs, jli.dll, and a decoy résumé document.

The CreateHiddenTask.vbs The script abuses Windows’ Task Scheduler to create a daily recurring job, misleadingly titled “Security,” that triggers the malicious executable each morning at 8:00 a.m. The script then deletes itself to erase forensic traces, allowing the malware to persist undetected.

RC4 Decryption and ValleyRAT Payload

Further analysis revealed that keytool.exe side-loads jli.dll, a loader component that decrypts embedded shellcode using an RC4 algorithm seeded with the key “123cba.”

This decrypted shellcode contains the malware’s Command and Control (C2) address 206.119.175.16 and launches an in-memory payload. Seqrite attributed this payload to ValleyRAT, a modular backdoor designed for extensive system surveillance and data theft.

ValleyRAT performs comprehensive reconnaissance, capturing screenshots, clipboard data, and network configurations. It fingerprints the system’s locale to identify machines in China or nearby regions.

It employs anti-virtualization and anti-antivirus techniques, terminating connections of popular Chinese AV suites such as 360Safe and Kingsoft. The RAT also logs keystrokes, monitors user activity, and exfiltrates sensitive data to its remote C2 infrastructure.

Seqrite’s research linked over 20 related .work domains, including app.jinanjinyu.work and app.maitangou.work, all resolving to the same Hong Kong IP cluster. The naming conventions resemble legitimate job portals, reinforcing the recruitment lure.

Operation Silk Lure exemplifies modern social-engineering precision combined with stealthy persistence.

Seqrite advises organizations to monitor for suspicious PowerShell executions with flags such as -NoP -ep Bypass, detect anomalous scheduled tasks named “Security,” and block outbound connections to pan.tenire.com and its related .work domains.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Hackers Exploit Windows Scheduler in ‘Silk Lure’ Attack to Spread ValleyRAT appeared first on Cyber Security News.