Fake Installer: Ultimately, ValleyRAT infection

Cybereason GSOC analyzed a sophisticated fake LINE installer (SHA1 b02a99344f2fa81636ad913f805b52051debe529) that uses NSIS packaging, code signing (with a suspicious certificate), PowerShell and Task Scheduler manipulations, and advanced injection (PoolParty Variant 7) to load shellcode, evade detection, and download additional payloads (likely ValleyRat); the report provides detailed IOCs, behavior analysis, detection rules, and notes similarities to prior samples and potential APT links.