Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

This Intezer Labs report describes a targeted campaign using a multi-stage loader named PNGPlug to deliver the ValleyRAT RAT against organizations in China, Hong Kong, and Taiwan. The attack chain begins with SEO-driven phishing pages leading to a trojanized MSI that deploys benign software while extracting an encrypted payload; the PNGPlug loader hides PE executables inside PNG files and performs in-memory injection, persistence, AV checks, and execution of ValleyRAT. The report attributes the campaign to the Silver Fox APT, details loader and RAT behaviors, and provides multiple indicators of compromise including IP addresses and file hashes.