Chinese fintech and cryptocurrency organizations have been subjected to attacks spreading the ValleyRAT backdoor via Windows Scheduled Task exploitation and DLL side-loading as part of the Operation Silk Lure cyberespionage campaign, GBHackers News reports.

Attackers masquerading as job applicants targeted organizations' hiring teams with spear-phishing emails containing a PDF resume attachment that included an illicit LNK shortcut file, according to Seqrite Labs researchers. Executing the shortcut file triggers an executable file that sideloads a DLL file while ensuring persistence through a scheduled task before eventually launching the ValleyRAT malware.

Aside from obtaining extensive system information, including CPU details, MAC addresses, and clipboard content, ValleyRAT also scours VMware or VirtualBox registry keys to circumvent sandbox environments and disrupts antivirus software before proceeding with keylogging, screenshot capturing, and file transferring activities.

Organizations have been urged to be vigilant of DNS queries to pan[.]entire[.]com, questionable PowerShell execution flags, and other indicators to combat the threat.