Full Report
Authors: Dixit Panchal, Soumen Burma & Kartik Jivani Table of Contents Introduction: Initial Analysis: Analysis of Decoy: Infection Chain: Technical Analysis: Infrastructure Hunting: Conclusion: Seqrite Coverage: IoCs: MITRE ATT&CK: Introduction: Seqrite Lab has been actively monitoring global cyber threat activity and has recently uncovered an ongoing campaign leveraging a Command and Control (C2) infrastructure hosted […] The post Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT) appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Tool/Technique: ValleyRAT (via Operation Silk Lure Campaign)
## Overview
Operation Silk Lure is an ongoing cyber-espionage campaign primarily targeting Chinese individuals seeking engineering and technical roles in the FinTech, cryptocurrency exchange, and trading platform sectors. The operation uses sophisticated spear-phishing (impersonating job seekers) to deliver malicious LNK files, which subsequently deploy a multi-stage payload culminating in the installation of **ValleyRAT** and establishing persistence via Scheduled Tasks. ValleyRAT performs reconnaissance (screenshots, clipboard harvesting) and exfiltrates data to a US-based C2 infrastructure.
## Technical Details
- Type: Malware Family (RAT - Remote Access Trojan) / Attack Campaign
- Platform: Windows
- Capabilities: Initial access via LNK droppers, PowerShell execution, automated downloading of secondary stages, persistence via Scheduled Tasks, credential/data theft (screenshots, clipboard), data exfiltration.
- First Seen: October 16, 2025 (Date of analysis/publication, inferred ongoing activity).
## MITRE ATT&CK Mapping
Based on the sequence described:
**Initial Access (TA0001)**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (via malicious .LNK seemingly embedded in a resume)
**Execution (TA0002)**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: Visual Basic (used in VBScript for task creation)
- T1204.002 - User Execution: Malicious File
**Persistence (TA0003)**
- T1053.005 - Scheduled Task/Job: Scheduled Task (Daily task named "Security")
**Privilege Escalation (TA0004)**
- T1055.001 - Process Injection: Dynamic-link Library Injection
- T1055.002 - Process Injection: Portable Executable Injection
**Defense Evasion (TA0005)**
- T1574.001 - Hijack Execution Flow: DLL (DLL Side-loading implied by analysis of dropped files like `jli.dll`)
- T1140 - Deobfuscate/Decode Files or Information
- T1036.008 - Masquerading: Masquerade File Type
- T1027.009 / T1027.010 / T1027.013 - Various Obfuscated Information techniques.
- T1497.001 / T1497.002 - Virtualization/Sandbox Evasion
**Credential Access (TA0006)**
- T1056.001 - Input Capture: Keylogging
- T1056.002 - Input Capture: GUI Input Capture
- T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
**Discovery (TA0007)**
- T1083 - File and Directory Discovery
**Data Collection (TA0009)**
- T1115 - Clipboard Data
- T1005 - Data from Local System
- T1039 - Data from Network Shared Drive
- T1113 - Screen Capture
**Collection (TA0009) - *Correction based on flow, listed under Credential Access in source***
**Command and Control (TA0011)**
- T1071.001 - Application Layer Protocol: Web Protocols
**Exfiltration (TA0010)**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Initial Delivery:** Uses highly localized, credible Chinese-language LNK files embedded in faux résumés (`.lnk` dropper).
- **Staging:** LNK executes a long PowerShell command, downloading secondary artifacts (`keytool.exe`, `CreateHiddenTask.vbs`, `jli.dll`, decoy resume) to `C:\Users\<User>\AppData\Roaming\Security\`.
- **Persistence:** Deploys `CreateHiddenTask.vbs` to create a daily scheduled task named "Security" set to run `keytool.exe` at 8:00 AM.
- **Data Theft:** Capable of capturing screenshots, harvesting clipboard contents, and gathering system metadata.
- **Communication:** Exfiltrates collected data over C2 channels using web protocols.
### Advanced Features
- **DLL Side-Loading:** Indicated by the presence of `jli.dll` and the Privilege Escalation/Defense Evasion mappings, suggesting the malware leverages legitimate or known components (`keytool.exe`) to load malicious DLLs for execution flow hijacking.
- **Obfuscation/Evasion:** Heavy use of obfuscated initial payloads (long PowerShell string) and layered execution stages, alongside specific checks to evade sandboxes/VMs.
## Indicators of Compromise
- File Hashes:
- MD5: `6ea9555f1874d13246726579263161e8` (CreateHiddenTask.vbs)
- MD5: `f5b9ad341ccfe06352b8818b90b2413e` (李汉彬.lnk)
- MD5: `83b341a1caab40ad1e7adb9fb4a8b911` (83b341a1caab40ad1e7adb9fb4a8b911.zip)
- MD5: `3ca440a3f4800090ee691e037a9ce501` (jli.dll)
- MD5: `e94e7b953e67cc7f080b83d3a1cdcb1f` (keytool.exe)
- File Names: `CreateHiddenTask.vbs`, `keytool.exe` (used maliciously), `jli.dll`, `李汉彬.lnk`.
- Registry Keys: (Not explicitly detailed, but persistence relies on Task Scheduler, T1053.005).
- Network Indicators:
- C2: `pan[.]tenire[.]com` (used for initial download)
- C2 IP: `119[.]175[.]65`
- C2 IP: `119[.]175[.]178`
- Behavioral Indicators: Programmatic creation of a daily scheduled task named "Security" via VBScript interacting with Task Scheduler COM objects.
## Associated Threat Actors
- Threat Actors behind Operation Silk Lure (specific group name not provided in the context, but characterized by targeting Chinese FinTech professionals).
## Detection Methods
- Signature-based detection: Based on file hashes listed in IoCs.
- Behavioral detection: Monitoring for PowerShell execution chains derived from LNK files, VBScript instantiating Task Scheduler COM objects, and creation of the "Security" scheduled task.
- YARA rules: (Not provided).
## Mitigation Strategies
- Disable execution of LNK/shortcut files delivered via email or untrusted sources.
- Restrict PowerShell execution via AppLocker/WDAC, especially for highly complex, long command lines dropped from non-standard sources.
- Implement strong Network Filtering to block connections to known C2 infrastructure (119[.]175[.]x.x range, pan[.]tenire[.]com).
- Regular auditing of Scheduled Tasks for newly created entries, especially those running at recurrence.
## Related Tools/Techniques
- DLL Side-loading (General Technique).
- PowerShell Droppers (General Technique).
- ValleyRAT (Specific Malware family, often associated with espionage).