SilverFox APT Campaign Targeting Chinese-Speaking Users via Trojanized WPS Office Installer
Dec 28, 2025
Executive Summary
An investigation identified a multi-stage malware campaign delivered via a spoofed WPS Office distribution website, designed to impersonate the legitimate Chinese-language WPS Office portal. The website, presented in Simplified Chinese and reinforced with supporting blog content, was used to distribute a malicious MSI installer to unsuspecting users, strongly suggesting a social engineering–driven initial access vector.
Upon execution, the MSI initiates a highly structured, layered infection chain comprising multiple AutoHotkey-based loaders, shellcode stages hidden within UUID-formatted text files, and progressively more capable native payloads. The infection flow demonstrates a deliberate emphasis on stealth, evasion, and resilience, leveraging techniques such as junk data padding, UPX packing, process masquerading, UAC bypass via auto-elevated COM objects, Early Bird APC injection, and living-off-the-land binaries (LOLBins).
User deception is reinforced through the execution of a decoy installer, branded as a legitimate third-party application, while malicious activity proceeds silently in the background. Persistence is established via the creation of a high-privilege scheduled task configured to execute on user logon, ensuring long-term access.
The final stage of the infection chain deploys ValleyRAT, a modular remote access trojan with a flexible configuration system and plugin-based architecture. In this observed sample, ValleyRAT was configured primarily for command-and-control communication, with advanced features such as keylogging, remote shell access, and file transfer deliberately disabled indicating a staged or selective operational posture. The malware supports dynamic C2 reconfiguration via the Windows registry, allowing operators to rotate infrastructure without redeploying binaries.
Downloaded plugins are persisted in the registry and injected into legitimate, signed Microsoft processes (e.g., tracerpt.exe) using process hollowing, further reducing detection likelihood and blending malicious execution into normal system activity.
Based on infrastructure usage, tooling overlap, tradecraft maturity, and targeting patterns, this activity is assessed with moderate to high confidence to be associated with the SilverFox APT group, which is known for targeting Chinese-speaking users, abusing legitimate software branding, and employing multi-stage loader frameworks to deploy custom RAT families.
Overall, this campaign reflects a well-resourced and operationally disciplined threat actor, capable of maintaining persistent access, dynamically adapting command-and-control infrastructure, and selectively enabling capabilities based on mission requirements.
Infection Chain
Key Findings
Targeted Initial Access
A spoofed WPS Office download website delivered a malicious MSI installer.
The site was presented in Simplified Chinese and included blog content to reinforce legitimacy.
This targeting strongly suggests a focus on Chinese-speaking users.
Multi-Stage Infection Chain
Infection progressed through seven distinct stages, combining MSI execution, script-based loaders, native binaries, and shellcode.
AutoHotkey-compiled executables were heavily used for loader and orchestration logic.
Multiple stages relied on UUID-encoded shellcode stored in text files to evade static detection.
Stealth and Evasion Techniques
Shellcode execution consistently leveraged Early Bird APC injection, executing payloads before normal process startup.
Payloads were obfuscated using junk data padding, UPX packing, and manual PE reconstruction techniques.
Process masquerading was employed to impersonate legitimate Windows binaries.
Long sleep intervals were introduced to evade sandbox and behavioral analysis.
User Deception and Distraction
A decoy NSIS installer (app.exe) was executed to provide visible user activity.
The decoy performed no meaningful installation and served solely as a distraction.
Privilege Escalation and Execution Control
The malware attempted UAC bypass using auto-elevated COM objects.
Elevated execution was used to launch subsequent payloads silently and with higher privileges.
Persistence Mechanism
Persistence was established via a scheduled task named VIP.
The task executes Win.exe on user logon with highest privileges.
Legitimate schtasks.exe was copied and abused to evade basic detection controls.
Command-and-Control Infrastructure
Network communication was implemented using the WinHttp API.
Multiple fallback C2 endpoints were configured to improve resilience.
During analysis, only 206.119.191.107 was reachable.
Final Payload: ValleyRAT
The final stage deployed ValleyRAT, a modular remote access trojan.
ValleyRAT supports multi-tier C2, dynamic reconfiguration via the registry, and plugin-based capability expansion.
In this sample, advanced features (keylogging, remote shell, file transfer) were present but disabled, indicating controlled or staged usage.
Living-off-the-Land and Process Injection
Malicious plugins were injected into legitimate Microsoft-signed binaries (e.g., tracerpt.exe).
Process hollowing was used to blend execution into trusted processes.
Attribution Assessment
Targeting, language artifacts, delivery method, and malware family align with SilverFox APT tradecraft.
The campaign demonstrates high operational maturity and deliberate infrastructure management.
Technical Analysis
Stage 0: Impersonation site
An impersonation website posing as the official WPS Office distribution portal was identified as serving a malicious MSI file upon user interaction. The website interface is presented in Simplified Chinese, consistent with the branding of WPS Office’s official Chinese-language site.
Additionally, the site includes blog pages to further reinforce its perceived legitimacy.
Stage 1: GWMeqk-itstos-2.35.msi
The MSI contains two executable files, three text files, and three AutoHotkey (AHK) scripts.
During installation, these files are written to the directory C:\Users\Public\Us, a publicly accessible path commonly abused by malware to avoid permission restrictions.
Analysis of the CustomAction table reveals a custom action named LaunchFile.
The command viewer.exe /DontWait /HideWindow cmd /C start C:\Users\Public\Us\Win1.exe launches a hidden command prompt and executes Win1.exe without waiting for completion, allowing the malicious payload to run silently in the background while the installer continues.
All embedded files were extracted from the MSI for further examination.
Stage 2: Win1.exe
Initial triage of Win1.exe using Detect It Easy and supporting tools identified it as an AutoHotkey-compiled executable, built using AutoHotkey version 2.0.19.
Research into AutoHotkey compiled executables indicates that such binaries typically load and execute an AutoHotkey script from the current working directory when a script with the same base name as the executable is present. In this case, Win1.exe loads win1.ahk.
AutoHotKey Script Analysis
The script initially launches app.exe, which functions as a decoy installer to provide visible activity to the user.
The script then copies itself to the same directory under different filenames (win.exe and shell.exe), likely to trigger execution of corresponding scripts (win.ahk and shell.ahk) and establish redundancy or staged execution.
Next, the script decodes and retrieves an embedded payload from the file uuid1.txt.
After decoding, the script injects and executes the resulting shellcode in a remote process.
Inspection of uuid1.txt shows that it contains a large number of seemingly legitimate UUID strings, likely intended to evade detection by appearing benign.
The decoding routine (DecodeUUIDFromFile) reads the contents of the file and concatenates all UUIDs into a single continuous string, hyphens (-) present in the UUID format are removed, leaving a long hexadecimal string.
This hexadecimal string is then converted into raw binary data, which represents the embedded shellcode payload.
The InjectAndExecute function takes the decoded shellcode as input and performs process injection, the function creates a WmiPrvSE.exe process in a suspended state, preventing execution before injection is completed. Memory is allocated within the target process using VirtualAllocEx, and the shellcode is written into the allocated region using WriteProcessMemory. The script then uses QueueUserAPC to queue the shellcode for execution, resuming the process afterward. This technique aligns with Early Bird APC Injection, where shellcode is queued before the target process begins normal execution, improving stealth and evasion.
A PowerShell script was created to replicate the UUID decoding logic, dumping the decoded shellcode to disk instead of performing Early Bird injection, allowing safer offline analysis.
app.exe – Decoy Installer Analysis
Initial triage of app.exe using Detect It Easy identified it as a Nullsoft Scriptable Install System (NSIS) installer. Examination of the installer contents using 7-Zip revealed that the installer performs no meaningful installation activity. The installer only drops a small number of DLL files into a directory and does not execute any legitimate application logic.
The installer is branded as “Meiqia LiveChat Desktop App”, likely chosen to appear legitimate and distract the user.
This behavior confirms that app.exe functions solely as a decoy, presenting visible installation activity while malicious operations are executed silently in the background.
Stage 3: UUID1.exe
Initial analysis of the payload using Detect It Easy identified the binary type as unknown, however a PE64 region packed with UPX was observed within the file.
Manual inspection of the executable in HxD revealed that the PE header is preceded by a large amount of junk or padding data, likely intended to disrupt automated analysis tools.
To continue analysis, the executable was manually reconstructed by dumping the data starting from the MZ header through the end of the file into a new binary then unpacked it using upx.
Static Analysis of the executable reveals :
It Performs process masquerading by modifying the Process Environment Block (PEB) to present itself as
explorer.exe.Initializes COM and attempts to auto-elevate privileges by instantiating an auto-elevated COM object using the
Elevation:Administrator!new:moniker.Attempts a User Account Control (UAC) bypass to obtain Administrator-level execution without user interaction.
Executes the secondary payload
C:\Users\Public\Us\Win.exe, potentially with elevated privileges.Executes the payload silently, without displaying a visible window or prompt.
Cleans up COM objects and terminates after launching the elevated payload.
Stage 4: Win.exe
Analysis of Win.exe shows that it is also a compiled AutoHotkey executable. When executed, Win.exe loads and executes the corresponding Win.ahk script from the same directory. Similar to Win1.ahk, the Win.ahk script decodes shellcode stored in a UUID-formatted text file and performs Early Bird APC injection. Unlike the previous stage, the file path to uuid2.txt is Base64-encoded within the script. The script first decodes the Base64 string to resolve the path to uuid2.txt, then processes the UUID data to reconstruct the shellcode. The decoded shellcode is injected and executed using the same Early Bird injection technique, targeting a newly created suspended process.
Stage 5: UUID2.exe
Retrieves a handle to the current process and attempts to enable the SeDebugPrivilege privilege by calling AdjustTokenPrivileges, allowing interaction with and manipulation of other processes.
Obtains the console window using GetConsoleWindow and immediately hides it via ShowWindow(ConsoleWindow, 0) to remove visible execution artifacts.
Performs process masquerading by altering the process identity to resemble legitimate Windows binaries, including:
rundll32.exewermgr.exedllhost.execalc.exe
Executes the secondary payload Shell.exe, continuing the next stage of execution.
Enters a prolonged sleep state (0x112A880 milliseconds), likely to evade behavioral detection and delay analysis.
Stage 6: Shell.exe
Shell.exe is a autohotkey executable as we saw it will execute the shell.ahk script
The shell.ahk script also has the same functionality as the win.ahk file just that the path is of uuid3.txt now
Stage 7: UUID3.exe
Analysis of UUID3.exe revealed the presence of junk or padding data at the beginning of the file, consistent with previous stages. After removing the junk data and unpacking the embedded payload using UPX, a clean executable was obtained for further analysis.
Upon execution, the binary copies the legitimate schtasks.exe utility to C:\Users\Public\Us\Jh.exe., Constructs a command line that uses the copied Jh.exe (schtasks.exe) binary to create a scheduled task and executes the binary with command line argument.
The scheduled task executes C:\Users\Public\Us\Win.exe whenever a user logs in, task is named VIP , runs on highest privilege, overwrites any existing task with the same name.
Obtains the console window using GetConsoleWindow and immediately hides it via ShowWindow(ConsoleWindow, 0) to remove visible execution artifacts.
Network communication is implemented using the WinHttp API to connect to a command-and-control (C2) server.
This communication channel is used to download the next-stage payload, the malware references multiple URLs for payload retrieval. During analysis, only 206.119.191.107 was reachable, while the remaining URLs were offline.
After retrieving the payload, the malware creates a new process and performs Early Bird APC injection.
Initial file type inspection of the retrieved payload identifies it as an unknown BIN file.
By dumping the data starting from the MZ header and removing the preceding junk data, the final executable payload is successfully reconstructed.
Stage 8: 2.bin
A preliminary assessment using VirusTotal indicates that the analyzed sample is associated with the ValleyRAT malware family.
ValleyRAT initializes a structured and flexible configuration management subsystem during execution, the extracted configuration parameters are outlined below, as observed during analysis.
p1:, p2:, p3: - Three-tier C2 server addresses
o1:, o2:, o3: - Corresponding port numbers for each C2 tier
t1:, t2:, t3: - Connection type flags (1 = HTTP/HTTPS, 0 = raw TCP socket)
dd: - Initial sleep delay (seconds) before first C2 contact
cl: - Callback interval (seconds) between beaconing attempts
bz: - Backup C2 address
Other Feature Flag's as described in the image related to keylogger, remoteshell, full backdoor mode, download/file transfer capability, and additional features
IIn this sample, keylogging, remote shell, full backdoor mode, file transfer, and additional features were disabled, the configuration enabled only outbound C2 communication to the specified IP address and ports.
Afterwards it queries the Windows registry for updated C2 infrastructure, if the registry value exists and exceeds 10 bytes, Valley RAT completely replaces its embedded configuration, then re-parses only the critical C2 parameters (p1 through t3) this allows operators to push updated C2 addresses without deploying new binaries or regaining code execution
After the configuration is loaded. Valley RAT spawns its payload thread (StartAddress) which tries to connect to any of the c2 addresses specified in a loop
Valley RAT implements a modular plugin architecture that enables dynamic capabilities. The malware stores downloaded plugins in HKCU\Console\0\d33f351a4aeea5e608853d1a56661059 a registry. The plugin manager operates in two modes: it either receives modules from the C2 server, allocates executable memory with PAGE_EXECUTE_READWRITE permissions, and persists the 2628-byte configuration plus payload code to the registry as REG_BINARY data, or it retrieves previously stored plugins from the registry, validates them against a hardcoded signature, and spawns execution threads.
After downloading plugins from the C2 server, Valley RAT injects them into tracerpt.exe, a legitimate signed Microsoft utility, using process hollowing. The malware creates the process in a suspended state, injects the plugin code into its memory, and redirects execution to the malicious payload.
IOC
GWMeqk-itstos-2.35.msi
918448e18b6fc75001634e154dabfe9d07aceac93ec997e833c592b31350b248
uuid1.exe
410da35431251104deef8904eeca03b571ecbb2ec1f9a9a7aa06efcb57fcc75
uuid2.exe
d9fde6beb073826424874481de6c2db4fbab3cfad77b33d9a87a9c6edcdee3
uuid3.exe
84a7927ed5da117b75d8403f44204bda4b683c3885cc7ff274c99bcc422cf6b
Shell.ahk
21e4f79c4210fa3794a2da491c6705cf11d1a18ffd0f78f4fdec190d2fb02559
uuid1.txt
438e460ab17255a343c3eb3c49cc0f9658f0797cc1c4d71b42ffd0db2551a45
uuid2.txt
ef3566fff9fa73f17aa4de33bf491215ecdfb9e9437aca6b9a3eebf17fb8159a
uuid3.txt
c4e671b26e731889c82755cb96dd7f455840eb148a01ed86d30077e00c410aef
Win.ahk
a67d9fe3d52785c2fa452d0b1b61545621f8dc99829ef568b65d6e3ebc7d2c66
Win1.ahk
b586afb25147a39f4f5899d6d42dd046d33a73dbce93a02200a7189c475a830
Win1.exe
3880f9ec464dfe78c16dbb8d9f30560227154c292280337346a30c8fd92871fe
APP.exe
a5d2071511e044ef3ac28a3742dcd04a9773d27f7132aba71b3eaa7920e1b836
2-fix.bin
1496bd4968d087f0b85ade7167c1103cc1a29bb02f3d783fbb60334eb1b78a79
2.bin
117c85c0532e7bfb1d984b7f0082a885dc89122d199ef79905aeed4c3c9e334d
C2 Server and Ports
Impersonation site
https[:]//on-wps.com
Download Url
http[:]//206.119.191.107/2.bin
Last updated