HiddenGh0st, Winos, and kkRAT trojanized-installer malware activity
Malware Activity
Summary
Hide ▲
Show ▼
A SEO poisoning malware operation is using fake software sites to push HiddenGh0st, Winos (ValleyRAT), and kkRAT onto Chinese-speaking users, with delivery chains that abuse lookalike domains, Google search redirects, and GitHub Pages to funnel victims into trojanized installers. The payloads can log keystrokes, manipulate clipboards, steal wallet addresses, and install remote-monitoring tools such as Sunlogin and GotoHTTP. The activity was identified in August 2025, while the kkRAT chain has been active since early May 2025. New reporting also shows Silver Fox turning to India with income tax-themed phishing that delivers ValleyRAT (aka Winos 4.0) through DLL hijacking, a ZIP/NSIS installer, and process injection into `explorer.exe`.
Related Happenings
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
How related:
The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0).
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignHow related: The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0).
About this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware Activity
First: 16.04.2026 00:57
Last: 16.04.2026 00:57
Sources 1
About this happening:
The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware ActivityAbout this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
15.09.2025 08:47 3 articles · 8mo ago
Chinese-speaking users targeted by SEO-poisoned malware campaigns
Initial DisclosureFortinet and Zscaler described separate malware campaigns targeting Chinese-speaking users, using SEO poisoning, fake software sites, lookalike domains, and GitHub Pages-hosted installer pages to deliver HiddenGh0st, Winos (ValleyRAT), FatalRAT, and kkRAT. The trojanized installers can sideload malicious DLLs, establish persistence, log keystrokes, steal clipboard data, and install remote-monitoring tools such as Sunlogin and GotoHTTP.
Show sources
- HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47
- HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47
- Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware — thehackernews.com — 30.12.2025 12:46