Sophisticated ValleyRAT Campaign Targets Chinese-Speaking Users via Fake LINE Installer A newly uncovered malware campaign is distributing the ValleyRAT backdoor disguised as a legitimate installer for LINE, the popular messaging app. The attack primarily targets Chinese-speaking users, employing a deceptive executable to steal login credentials and establish long-term surveillance on compromised systems. The malware uses a multi-stage infection chain to evade detection, beginning with a fake installer that disables Windows Defender via PowerShell commands, excluding entire drives from antivirus scans. It then deploys intel.dll, a malicious library that performs sandbox checks including file locking and mutex creation to verify the environment before unpacking the final payload. Once active, ValleyRAT leverages the PoolParty Variant 7 injection technique, hiding malicious activity within trusted system processes like Explorer.exe and UserAccountBroker.exe. By abusing Windows I/O completion ports, the malware injects code into legitimate processes, enabling stealthy credential harvesting and persistent communication with command-and-control (C2) servers. To maintain persistence, the malware registers scheduled tasks via Remote Procedure Call (RPC) and uses a fraudulent digital certificate issued to "Chengdu MODIFENGNIAO Network Technology Co., Ltd." though the signature is cryptographically invalid. It also terminates security software from vendors like Qihoo 360 to blind local defenses. Discovered by Cybereason analysts, this campaign highlights the growing sophistication of process injection and evasion tactics, posing a significant risk to targeted users. The attack underscores the importance of verifying software sources and monitoring for suspicious process behavior, such as unexpected child processes spawned by Explorer.exe.