Date: 07/07/2026
Severity: High
Summary
Researchers identified a social engineering campaign impersonating the Indian Income Tax Department to deliver the ValleyRat Remote Access Trojan (RAT) through a multi-stage infection chain involving a malicious VHDX, DLL SideLoading, and encrypted in-memory payload execution. The malware employs advanced defense-evasion techniques, including runtime string decryption, API hashing, process injection, and registry persistence, while dynamically downloading additional encrypted modules from its C2 server to extend functionality. The campaign highlights the increasing use of government-themed phishing, layered malware delivery, and fileless execution to evade detection and establish persistent remote access to compromised systems.
Indicators of Compromise (IOC) List
Domain/URLs | kjfuwyce.love |
IP Address | 103.97.131.179 |
Hash | 94e6207758ec4271b1f0a08be1b8d3eb
05c6e04d7feec7ba9c19c6a276c58560
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "kjfuwyce.love" or url like "kjfuwyce.love" or siteurl like "kjfuwyce.love" |
Detection Query 2 : | dstipaddress IN ("103.97.131.179") or srcipaddress IN ("103.97.131.179") |
Detection Query 3 : | md5hash IN ("05c6e04d7feec7ba9c19c6a276c58560","94e6207758ec4271b1f0a08be1b8d3eb")
|
Reference:
https://cyberarmor.tech/blog/china-nexus-apt-india-tax-assessment-dll-hijacking