Fake LINE Messenger Installer Spreads ValleyRAT Malware
Silver Fox APT Group Distributes ValleyRAT via Trojanized LINE Installer
Related Entities
Full Report
Executive Summary
A new malware distribution campaign is leveraging the popularity of the LINE messaging application to spread ValleyRAT, a remote access trojan. The campaign, which has been active since early 2025, primarily targets Chinese-speaking users. Threat actors, linked to the APT group known as Silver Fox, have packaged ValleyRAT within a trojanized installer for LINE. When a user runs the fake setup file, the legitimate application may install as expected, but the malware is also covertly deployed onto the system. The primary goal of ValleyRAT is to establish persistence, evade detection, and steal sensitive user credentials.
Threat Overview
The threat actor, Silver Fox, is using a classic trojan horse technique. By bundling their malware with a legitimate and popular application, they significantly increase the chances of a user willingly executing their malicious code. The campaign has been observed using fake installers for other popular software as well, such as VPN tools, but the use of the LINE installer is a key focus.
The target demographic appears to be Chinese-speaking users, suggesting a regionally focused or ethnically targeted operation. The malware itself, ValleyRAT, is a full-featured remote access trojan, giving attackers complete control over the compromised machine.
Technical Analysis
Attack Chain and TTPs
- Initial Access & Execution:
T1204.002 - User Execution: Malicious File. The attack relies on the user downloading and executing the trojanized installer from a non-official source (e.g., a third-party download site, torrent, or phishing link). - Defense Evasion:
T1553.002 - Subvert Trust Controls: Code Signing. The fake installer may be signed with a stolen or fraudulent code-signing certificate to appear legitimate. It also masquerades as a trusted program. The campaign is also noted for using 'advanced evasion techniques'. - Persistence:
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder. RATs like ValleyRAT typically establish persistence by adding entries to the Registry Run keys or placing shortcuts in the Startup folder to ensure they are executed every time the system boots. - Credential Access:
T1056.001 - Input Capture: KeyloggingandT1555.003 - Credentials from Web Browsers. The primary goal is credential theft. ValleyRAT likely includes modules to log keystrokes and extract saved passwords from web browsers and other applications. - Command and Control: The RAT will establish a connection to an attacker-controlled C2 server to receive commands and exfiltrate stolen data, likely using
T1071.001 - Application Layer Protocol: Web Protocols.
Impact Assessment
A successful infection with ValleyRAT can lead to a complete compromise of the victim's machine and data. The immediate impact is the theft of credentials for various online accounts (email, banking, social media), which can lead to financial loss and identity theft. For a corporate victim, a single compromised machine can serve as a beachhead for the attackers to move laterally within the network, escalate privileges, and exfiltrate sensitive company data, potentially leading to a larger-scale breach.
IOCs
No specific file hashes, IP addresses, or domains were provided in the source articles.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| file_name | LINE_installer.exe (unofficial) |
Monitor for LINE installers downloaded from sources other than the official LINE website or app stores. | EDR, Download logs | high |
| registry_key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
Monitor for the creation of new, suspicious entries in Registry Run keys, a common persistence technique for RATs. | EDR, Sysmon (Event ID 13) | high |
| network_traffic_pattern | Unusual outbound connections |
Look for persistent, low-and-slow 'heartbeat' connections to unknown domains, which is characteristic of RAT C2 communication. | Netflow, Firewall logs | medium |
Detection & Response
Detection:
- Antivirus/Antimalware: Keep endpoint security solutions updated with the latest signatures, which may detect known variants of ValleyRAT.
- Behavioral Monitoring: Use an EDR to detect suspicious behaviors, such as an installer process writing new executables to disk, creating persistence in registry run keys, or making unexpected network connections.
- Software Auditing: Regularly audit software installed on endpoints to ensure all applications were sourced from legitimate vendors.
Response:
- Isolate: Disconnect the compromised machine from the network.
- Remediate: Re-image the affected system to ensure all components of the RAT are removed.
- Credential Reset: The victim must assume all their credentials have been compromised and should change passwords for all their online accounts immediately.
Mitigation
- Restrict Software Installation:
M1033 - Limit Software Installation. Prevent standard users from installing software. All software should be installed by administrators from vetted, official sources. - User Training:
M1017 - User Training. Train users to only download software from official websites and app stores and to be wary of 'free' versions of paid software or installers from third-party sites. - Antivirus/Antimalware:
M1049 - Antivirus/Antimalware. Deploy and maintain an enterprise-grade endpoint protection solution on all workstations and servers.
Timeline of Events
MITRE ATT&CK Mitigations
Limit Software Installation
Preventing users from installing software from unvetted sources is a key control against trojanized applications.
Mapped D3FEND Techniques:
User Training
Educate users about the dangers of downloading software from third-party sites and the importance of using official sources.
Antivirus/Antimalware
Modern endpoint protection can detect and block known malware like ValleyRAT based on signatures and heuristics.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
Implement application allowlisting policies to prevent the execution of unauthorized software like the trojanized LINE installer. Using tools like Windows Defender Application Control (WDAC), create a baseline of all approved software in the environment. Any executable not on this list, such as a fake installer downloaded from a third-party website, will be blocked from running. This approach moves from a reactive, signature-based defense to a proactive, 'default-deny' posture, which is highly effective against trojanized software campaigns. For organizations where LINE is a legitimate business tool, ensure the allowlist rule is based on the digital certificate of the official LINE Corporation, which the fake installer will lack.
Deploy an EDR solution capable of detailed process analysis to detect the post-execution behavior of ValleyRAT. Even if the initial installer evades detection, its actions on the endpoint will be anomalous. Configure detection rules to alert on: an installer process (setup.exe) creating persistence in registry run keys; a non-browser process making persistent outbound network connections; or processes associated with LINE attempting to access credential stores or perform keylogging. By monitoring the behavior of the process after execution, security teams can identify the presence of the RAT and initiate a response, even if the malware itself is unknown.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats