Executive Summary

Recently, during malware hunting featured in CyberArmor's Malware Research Diary on YouTube (https://www.youtube.com/watch?v=Y0HARQ0faSg), we identified a targeted phishing campaign against cvcnetworkindia.com that used an Indian Income Tax Department theme to deliver the ValleyRat remote access trojan (RAT). The campaign employed a multi-stage infection chain designed to evade detection by combining social engineering, virtual disk images (VHDX), DLL search order hijacking, encrypted payloads, and in-memory execution.

The attack began with a spear-phishing email containing a PDF attachment named 2026-0624-03.pdf. Rather than embedding malware directly, the PDF redirected victims to a fraudulent website hxxps://kjfuwyce[.]love/, impersonating the Indian Income Tax Department. The website presented a fake tax assessment notice and instructed victims to download Tax_Assessment-T.zip.

The ZIP archive contained a Tax_Assessment-T.vhdx virtual hard disk. When mounted, the VHDX exposed three files: Tax_Assessment.exe, event.dll, and event_original.dll. The attackers abused Windows' DLL search order by causing Tax_Assessment.exe to load the malicious event.dll before the legitimate library, achieving code execution while preserving normal application behavior.

Analysis of the loader revealed multiple defense-evasion techniques, including runtime string decryption, API hashing, custom payload decryption, native Windows API usage, process injection, and registry-based persistence. The loader extracts an encrypted payload embedded within the executable, decrypts it using a custom RC4-like algorithm, injects it into a newly created process, and executes the payload entirely in memory. Subsequent analysis showed the malware communicates with its command-and-control (C2) server to retrieve additional encrypted modules, which are decrypted and executed dynamically in memory, enabling the threat actor to extend the malware's capabilities after initial compromise.

The malware ultimately deploys ValleyRat, a remote access trojan capable of establishing persistent remote control over the compromised system. The modular architecture allows operators to deliver additional functionality on demand while minimizing the on-disk footprint and reducing opportunities for detection.

This campaign demonstrates the continued evolution of advanced phishing operations through the use of trusted government impersonation, layered malware delivery, and sophisticated loader techniques. The combination of VHDX containers, DLL hijacking, encrypted in-memory payloads, and dynamically downloaded modules presents significant challenges for traditional signature-based security controls. Organizations should strengthen defenses by monitoring virtual disk mounting activity, detecting DLL search order hijacking, inspecting suspicious PDF-to-download workflows, and implementing behavioral detection capable of identifying process injection and in-memory execution. Figure 1 provides an overview of the attack chain, illustrating the multi-stage infection process from the initial spear-phishing email to the deployment of the ValleyRat malware.

Figure 1: China-Nexus APT Campaign Targeting India Through a Tax Assessment-Themed DLL Hijacking Attack Delivering ValleyRat

Initial Access

The attack began with a targeted spear-phishing email sent to cvcnetworkindia.com. Rather than delivering malware directly as an attachment, the threat actor used a staged delivery technique designed to reduce detection and increase the likelihood of user interaction. Figure 2 shows the phishing email used to initiate the attack, including the malicious PDF attachment 2026-0624-03.pdf that served as the initial lure.

Figure 2: Email Campaign

The phishing email contained a PDF attachment named 2026-0624-03.pdf, which appeared to reference a tax assessment. The PDF have the following properties.

Filename: 2026-0624-03.pdf

MD5: 0dbf8ae2a592160fbd3828a60fb3a777

SHA-1: 80b2fb907aa8a43ec9ee8c99c8144dbf41755817

SHA-256: 6190c046934725723a2b5f58de881f517fc2bf6308c1acde9aacd60dc39a0620

Malicious PDF Analysis

The phishing email included a PDF attachment named 2026-0624-03.pdf, which served as the first stage of the infection chain. Rather than containing an exploit or embedded malware, the document functioned as a social engineering lure by directing the victim to an external website. Figure 3 shows the PDF page.

Figure 3: Tax Violation And Penalty Notification

Analysis of the PDF identified an embedded URL pointing to hxxps://kjfuwyce.]love/, a fraudulent website impersonating the Indian Income Tax Department. By separating the initial lure from the malware payload, the threat actor reduced the likelihood of detection by email security gateways and attachment-scanning solutions while encouraging victims to continue through the staged infection process.

Fake Income Tax Department Website

The embedded URL directed victims to hxxps://kjfuwyce.]love/, a website designed to impersonate the Indian Income Tax Department. The page displayed a convincing tax assessment notice and instructed visitors to download supporting documents related to the alleged assessment. Figure 4 shows the fake Income Tax Department to drop a malware.

Figure 4: Fake Income Tax Department

When the user clicks Download Documents, the website downloads a ZIP archive named Tax_Assessment-T.zip, which contains the next stage of the malware delivery chain. The zip file has the following properties.

Filename: Tax_Assessment-T.zip

MD5: 3251a89ef1e2c3cad8abc643de2bc6d0

SHA-1: a58fd0cb6f881b55e0b4b1ca9a93149bba1f3cef 

SHA-256: 82c0617cd6d88d1d2a56051aff61614dc1679dae6026b1f26924aff1c973b168 

File Type: Zip

The downloaded ZIP archive contains a Windows virtual hard disk image named Tax_Assessment-T.vhdx. When the victim opens the VHDX file, Windows automatically mounts it as a virtual drive, exposing its contents, including Tax_Assessment.exe. This technique allows the threat actor to deliver the malware within a virtual disk image rather than as a standalone executable, helping evade some email and endpoint security controls.

Figures 5 and 6 show the contents of the ZIP archive and the mounted VHDX drive, respectively.

Figure 5: Tax_Assessment-T.zip content

Figure 6: VHDX mapped Drive

The mounted VHDX contains the following files:

Filename: Tax_Assessment.exe

MD5: 8dbc110f44453ffb8a556304da864f7c 

SHA-1: 151ad8f9e8287ae17f43ece1f3c535c2230dd2a6

SHA-256: 5cfd4fc33b455e1e413d83d6080c3e61334410e98b435d2de72308ad2d6354e3

Filename: event.dll (Malicious)

MD5: 94e6207758ec4271b1f0a08be1b8d3eb

SHA-1: fa5c79f8d8dfe3dc4e1f7db1d4c36617fb5e727c

SHA-256: 2e752d811b05e118880d9a47830e4db38ba14594c7cf69a440ce7bca86bca890

Filename: event_original.dll (legit)

MD5: adad60aa42f9d89fadce09fa3e1a5caf

SHA-1: 2b55a94f569a15ac86792564994ba3d54965b105

SHA-256: 51980aa30cee8a1ab96e7ba6805f741c43c0db70e4b2df94698815d5e29772e4

DLL Hijacking Infection Chain

When the victim executes Tax_Assessment.exe, the application loads event.dll, a malicious DLL that abuses DLL search order hijacking (DLL sideloading) to gain code execution. After the malicious DLL is loaded, it loads the legitimate event_original.dll and forwards API calls to the original library. This allows the application to continue functioning normally while the malicious code executes in the background, reducing the likelihood of arousing the victim's suspicion. Figure 7 shows the functionality of the malware.

Figure 7: Tax Assessment Execution

The loader incorporates multiple techniques to evade detection, hinder reverse engineering, and execute the final payload entirely in memory.

• Encrypted Strings: All sensitive strings, including API names, registry paths, and configuration data, are encrypted and decrypted at runtime to prevent static analysis.
• Dynamic API Resolution: Rather than importing Windows APIs through the Import Address Table (IAT), the malware dynamically resolves APIs using a custom hashing algorithm, reducing identifiable indicators within the binary.
• Custom RC4-like Payload Decryption: The embedded payload is encrypted using a custom RC4-like algorithm with a modified key scheduling process before being decrypted in memory immediately prior to execution.
• DLL Search Order Hijacking: The malware abuses DLL search order hijacking (DLL sideloading) by replacing event.dll with a malicious version while forwarding legitimate API calls to event_original.dll, allowing the application to operate normally.
• In-Memory Payload Execution: The decrypted payload is never written to disk. Instead, it is decrypted directly in memory and executed, reducing forensic artifacts on the compromised system.
• Low-Level Process Injection: The loader uses native Windows (NT) APIs to allocate memory, write the decrypted payload into a remote process, and transfer execution. This approach bypasses higher-level Windows APIs that are more commonly monitored by security products.
• Embedded Payload Extraction: The malware searches for an encrypted payload appended to the executable, extracts it using a custom marker, and decrypts it during execution.
• Command-and-Control Module Loading: After establishing communication with the command-and-control (C2) server, the malware downloads additional encrypted modules, decrypts them in memory, and executes them without writing the modules to disk.
• Persistence: The malware establishes persistence by copying itself to a local directory and creating a Windows Registry Run key, ensuring execution each time the user logs in.
• Anti-Analysis Techniques: The combination of encrypted strings, API hashing, staged payload decryption, and native API usage significantly complicates static analysis and signature-based detection.

The encrypted payload is appended to the end of Tax_Assessment.exe and is identified by the 8-byte marker DE C0 AD DE C0 AD DE C0. The loader searches for this marker, extracts the encrypted data, and decrypts it using a custom RC4-like algorithm before executing the payload entirely in memory. Figure 8 shows the embedded encrypted payload and the associated marker used to locate it.

Figure 8: Encrypted Payload Embedded In Tax Assessment.exe

After decryption, the embedded payload was identified as the ValleyRat remote access trojan. Analysis of the decrypted shellcode revealed the following characteristics:

MD5: a831ff14316a73946a56b6b92d8c0a7e

SHA-1: f912597dc623d98a9f44dc6583dff17139c058dd

SHA-256: f32b7618e1c4728a4c4c36487c15b3ccd5fa26f96180d17a028157cee44aca2d

The ValleyRat C2 is 103.97.131[.]179 on port 8888.

Persistent

To establish persistence, the malware copies itself to the following location after injecting the ValleyRat shellcode:

%LOCALAPPDATA%\Microsoft\Windows\Explorer\thumbcache_1478r1qx\Tax_Assessment.exe

It then creates a Windows Registry Run key that automatically launches Tax_Assessment.exe each time the user logs in. The following registry key is used to achieve persistence:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_1478

Clean up

After establishing persistence, the malware attempts to remove evidence of the initial infection by ejecting the mounted VHDX using a PowerShell command. This step helps eliminate the mounted virtual drive from Windows Explorer, reducing the likelihood that the victim will notice the malicious files used during the infection process.

The following PowerShell command is executed by the malware to dismount the VHDX:

powershell.exe -w hidden -nop -c "sleep 5;$p=$null;try{$n=(Get-Partition -DriveLetter D -EA 0).DiskNumber;$d=(Get-Disk $n -EA 0).Path;$p=(Get-DiskImage -DevicePath $d -EA 0).ImagePath}catch{};if(!$p){0..5|%{$d=Get-DiskImage -DevicePath ('\\.\CDROM'+$_) -EA 0;if($d -and $d.Attached){try{$v=$d|Get-Volume -EA 0;if($v.DriveLetter -eq 'D'){$p=$d.ImagePath}}catch{}}}};(New-Object -ComObject Shell.Application).Namespace(17).ParseName('D:\').InvokeVerb('Eject');sleep 3;if($p -and (Test-Path $p)){del $p -Force -EA 0}"

Conclusion

This campaign demonstrates a sophisticated, multi-stage malware delivery chain that combines social engineering with modern defense-evasion techniques to deploy the ValleyRat remote access trojan. By impersonating the Indian Income Tax Department, the threat actor leveraged a trusted government theme to increase the likelihood of user interaction while separating each stage of the infection chain to reduce detection.

The use of a malicious PDF, a fraudulent download portal, a VHDX virtual disk image, DLL search order hijacking, encrypted strings, dynamic API resolution, a custom RC4-like decryption routine, native Windows APIs, and in-memory process injection illustrates a mature malware framework designed to evade both static and behavioral detection.

Based on our analysis, we assess this activity is associated with a China-nexus advanced persistent threat (APT) group. This assessment is supported by the observed command-and-control (C2) infrastructure hosted in China, the use of the ValleyRat malware family, the staged delivery mechanism, and the tradecraft demonstrated throughout the infection chain. While the use of infrastructure located in China alone is not sufficient for definitive attribution, it contributes to the overall assessment when considered alongside the malware's capabilities and operational techniques.

The modular design of ValleyRat enables operators to retrieve and execute additional encrypted payloads directly from the C2 server, allowing functionality to be extended after the initial compromise while minimizing the malware's on-disk footprint. This flexibility enables the threat actor to adapt operations and deploy additional capabilities as objectives evolve.

This campaign highlights the continued evolution of targeted espionage operations against organizations in the region. Organizations should strengthen their defenses by monitoring for suspicious PDF attachments that redirect to external download sites, VHDX mounting activity, DLL search order hijacking, process injection, and anomalous outbound connections to command-and-control infrastructure. Combining behavioral detection with proactive threat hunting and user awareness training remains critical for identifying and mitigating similar campaigns before significant damage occurs.

For a detailed walkthrough of the malware analysis and reverse engineering process, watch the video below:

From Phishing Email to DLL Hijacking Malware | Threat Hunting & Reverse Engineering Part 1

From Phishing Email to DLL Hijacking Malware | Threat Hunting & Reverse Engineering Part 2

Indicators of Compromise

Domains

• kjfuwyce[.]love

Files

• 94e6207758ec4271b1f0a08be1b8d3eb (event.dll)
• 05c6e04d7feec7ba9c19c6a276c58560 (Tax Assessment.vhdx)

Network Indicators

• 103.97.131[.]179