Fake Huorong Antivirus Website Spreads ValleyRAT via Trojanized NSIS Installer and DLL Sideloading Campaign

CyberDefender 7 mins0

Security researchers published a detailed analysis of an ongoing threat campaign where attackers are using a convincingly forged version of the popular Chinese antivirus Huorong Security (火绒) to distribute a Remote Access Trojan (RAT) called ValleyRAT. This campaign illustrates how typosquatting and supply-chain trust abuse remain extremely effective at luring even security-savvy victims.

Background: What Is Huorong Security?

Huorong Security — known in Chinese as 火绒 — is a free antivirus and endpoint protection product developed by Beijing Huorong Network Technology Co., Ltd.. It’s widely used across China for malware defense and endpoint monitoring, and blends traditional scanning with heuristic and behavior-based detection.

This reputation is exactly what threat actors exploited.

The Lure: Fake Site via Typosquatting

The attackers registered a domain that is nearly identical to the legitimate installer site:

  • Fake domain: huoronga[.]com
  • Legitimate domain: huorong.cn

The only difference? An extra “a” appended to the name — a classic typosquatting trick.

This tactic ensures that users who mistype the genuine site URL or arrive via poisoned search results are redirected to the malicious domain. The fake site’s visuals, layout, and branding closely match the real Huorong site, making the scam even more deceptive.

Payload Delivery Mechanics

Download Chain

When a victim clicks “Download,” the request flows like this:

  1. Fake site redirects silently through an intermediary domain (hndqiuebgibuiwqdhr[.]cyou).
  2. The payload is hosted on Cloudflare R2 storage.
  3. The compressed file is delivered as BR火绒445.zip — using Chinese characters (火绒) to further reduce suspicion.

Trojanized NSIS Installer

Inside the ZIP is an NSIS installer (Nullsoft Scriptable Install System). NSIS is a legitimate installer framework that many real applications use. In this case, it’s been modified to:

  • Emulate a normal installation flow
  • Avoid detection by simply-packed executable scanners
  • Establish a sense of legitimacy for a casual observer or non-technical user

When executed, the installer places a desktop shortcut named 火绒.lnk (Huorong.lnk) to reinforce the illusion of a successful install.

Under the Hood: ValleyRAT and DLL Sideloading

Once run, the installer drops several components into the victim’s Temp directory — including decoy binaries and legitimate-looking DLLs. Among these are:

FileRole
WavesSvc64.exeMain loader disguised as an audio service
DuiLib_u.dllHijacked UI library used for DLL sideloading
box.iniEncrypted shellcode configuration

Why is this significant? Because the campaign uses a technique called DLL sideloading, which abuses legitimate Windows behavior to load malicious DLLs alongside trusted binaries.

DLL Sideloading Explained

Windows will load DLLs with known names from the same directory as an executable before searching more secure system paths. Attackers use this feature by:

  1. Placing a malicious DLL (DuiLib_u.dll) next to a legitimate host executable (WavesSvc64.exe)
  2. Ensuring Windows trusts the file because its name conflicts with a legitimate dependency
  3. Causing Windows to execute attacker-controlled code under the guise of a trusted process

This sideloading then triggers in-memory decryption/execution of malicious shellcode from box.ini.

ValleyRAT’s Post-Infection Behavior

Once running, ValleyRAT — built on the Winos4.0 framework — performs a range of stealthy operations:

Defense Evasion

  • Powershell commands disable Windows Defender for its own directory
  • Scheduled tasks named Batteries ensure persistence
  • Creates exclusions so Defender ignores its files and processes

Persistence Mechanisms

  • Writes configuration to HKCU\SOFTWARE\IpDates_info
  • Stores encrypted settings in console registry keys
  • Refreshes its own files to avoid static detection

C2 Communication

  • Connects to C2 server at 161.248.87.250:443
  • Uses a custom binary protocol to hide in normal HTTPS traffic
  • Transmits telemetry and receives command instructions

Indicators of Compromise (IOCs)

Matching Domains / Hosts:

  • huoronga[.]com — fake download site
  • Redirector: hndqiuebgibuiwqdhr[.]cyou
  • Payload host: Cloudflare R2 bucket
  • C2 IP: 161.248.87.250

Registry & Persistence Artifacts:

  • Scheduled task: Batteries
  • Directory: %APPDATA%\trvePath\
  • Registry key: HKCU\SOFTWARE\IpDates_info

Technical Takeaways & Mitigations

Lessons for Security Teams

  • Typosquatting remains effective: Attackers prefer domain mimicry when distributing malware.
  • Legitimate frameworks are misused: NSIS installers and PCI-trusted hosting (Cloudflare) increase trust.
  • Behavioral analysis matters: Defense tools must detect post-execution behaviors, not just file signatures.

Best Practices

  1. Always verify software download URLs manually.
  2. Monitor Defender preferences for unauthorized exclusion rules.
  3. Employ endpoint detection with behavioral analysis to detect DLL sideloading and persistence artifacts.

Conclusion

This campaign highlights a sobering reality: attackers can weaponize trust — especially when the bait is a security product itself. ValleyRAT’s sophisticated use of trojanized installers, DLL sideloading, persistence artifacts, and deceptive infrastructure serves as a rich case study in modern malware distribution.

If users hunt for an antivirus product, they should default to verified official domains, scrutinize download sources, and rely on layered threat detection approaches that go beyond static signatures.

CyberDefender