Multiple email phishing campaigns targeting Chinese-language speakers have emerged, distributing a range of malware, including Sainbox RAT, Purple Fox, and a new trojan named ValleyRAT, according to a report by enterprise security firm Proofpoint.
These campaigns are marked by Chinese-language lures and the use of malware often associated with Chinese cybercrime activities. The observed activity, which started in early 2023, involves sending emails containing URLs that lead to compressed executables responsible for installing the malware. Additionally, some infection chains leverage Microsoft Excel and PDF attachments embedding these URLs to initiate malicious activity.
What distinguishes these campaigns is their variation in infrastructure, sender domains, email content, targeting, and payloads, suggesting the involvement of different threat clusters. Since the beginning of 2023, more than 30 such campaigns have been identified. Notably, at least 20 of these campaigns, beginning in April 2023, have been delivering Sainbox, a variant of the Gh0st RAT trojan.
Furthermore, Proofpoint detected three other campaigns distributing the Purple Fox malware and six additional campaigns spreading ValleyRAT, a new trojan that surfaced in March 2023. ValleyRAT, initially documented by Chinese cybersecurity firm Qi An Xin in February 2023, possesses functionalities typical of remote access trojans, such as fetching and executing additional payloads and enumerating running processes.
The emergence of ValleyRAT suggests a potentially widespread deployment of this trojan in future cyber campaigns. Proofpoint speculates that the surge in Chinese-language malware activity may signify an expansion of the Chinese malware ecosystem.
This expansion could result from increased access to payloads and target lists or heightened activity by Chinese-speaking cybercriminal operators. It underscores the evolving threat landscape and highlights the need for robust cybersecurity measures, especially for Chinese-speaking users who are being actively targeted.
