Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT)

Seqrite Lab describes 'Operation Silk Lure', a targeted spear-phishing campaign that uses localized Chinese résumé decoys containing malicious .LNK shortcuts to drop a PowerShell stage which fetches keytool.exe and jli.dll; the loader decrypts and executes an in-memory payload (ValleyRAT) that performs reconnaissance, keylogging, screenshots, AV/VM evasion, network disruption of security products, and exfiltration to C2 infrastructure (notably 206.119.175.16/65/162/178 and multiple .work domains). The report contains static and dynamic analysis, persistence via a scheduled 'Security' task (CreateHiddenTask.vbs), RC4-based payload extraction, IoCs (MD5 hashes, domains, IPs), and MITRE ATT&CK mappings to aid detection and response.