The operation demonstrates a high level of technical maturity, combining multiple layers of evasion, persistence, and kernel-level tampering to maintain long-term access on compromised systems.
The attack begins when victims run trojanized installers like tg.exe, an unsigned 49.7 MB file masquerading as Telegram Desktop 6.0.2.
Once executed, it displays a legitimate installation interface but secretly creates the C:ProgramDataWindowsData directory and drops several payloads there.
Among them is funzip.exe (a renamed 7‑Zip binary) and main.xml, a password-protected archive containing second‑stage components.
Before extraction, the installer turns off defenses by adding a Microsoft Defender exclusion for the entire C: drive, and an immediate red flag is detectable via Defender event ID 5007.
When extracted using the password htLcENyRFYwXsHFnUnqK, the archive releases men.exe, the orchestrator that drives the intrusion chain. men.exe executes reconnaissance, tampering, and persistence tasks, deploying files into %PUBLIC%DocumentsWindowsData and setting restrictive file permissions to block cleanup.
It also creates a scheduled task named WindowsPowerShell.WbemScripting.SWbemLocator to run an encoded X.vbe script at every user logon its primary persistence mechanism.
The decoded X.vbe script launches NVIDIA.exe and NtHandleCallback.exe. NVIDIA.exe loads a Bring Your Own Vulnerable Driver (BYOVD) based on NSecKrnl64.sys, exposing an IOCTL interface that allows the malware to kill security processes directly at the kernel level.
main.exe then installs another driver, rwdriver.sys, to disrupt EDR hooks and logging pipelines, often preventing activity from reaching SIEM systems.
Finally, NtHandleCallback.exe, a legitimate signed binary, sideloads a malicious log.dll that contains the ValleyRat beacon, establishing command‑and‑control with keepmasterr[.]com (161.248.15.144:9000).
The campaign’s staging within ProgramData and Public folders, password‑protected archives, and UAC bypass via the ICMLuaUtil COM interface are all strong indicators.
Security tools such as Nextron’s THOR detect these phases using YARA rules, process analysis, and telemetry correlation, and flag indicators such as renamed 7‑Zip utilities, encoded VBE scripts, or drivers loaded from user‑writable paths.
Sigma rules targeting scheduled task creation, Defender exclusions, and service installations in the %PUBLIC% location can further aid defenders.
Silver Fox, active since at least 2022, continues to rely on archive‑based staging and abuse of vulnerable drivers.
The ValleyRat campaign shows that actors’ growing proficiency in integrating BYOVD, DLL sideloading, and anti‑forensic tactics reminds defenders that trusted software installers remain one of today’s most effective social‑engineering lures.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post ValleyRat Malware Delivered Through Abuse of Telegram, Chrome, Teams, and WinSCP appeared first on Cyber Security News.
The DJI Romo robot vacuums. | Image: DJI On Valentine's Day, I brought you a…
Magic: The Gathering’s crossovers get harder to predict, and the second set of the year…
Pixar's Hoppers, about a young animal rights activist (Piper Curda) who transfers her mind into…
After more than five years since the last book in the series was published, Sarah…
A giant power line was knocked down Friday evening after a truck crashed into it.
Students at Caledonia Elementary School were sent home Friday morning after heavy rainfall caused flooding…
This website uses cookies.