Fake Telegram Language Pack Deploys ValleyRAT Malware in Sophisticated Cyberattack

The highly evasive ValleyRAT malware is infecting users through a sophisticated fake Telegram language pack. The Chinese-nexus threat group known as Silver Fox has escalated its cyberespionage operations, utilizing a complex six-stage infection chain to bypass standard antivirus defenses and gain deep system access. Users seeking to localize their messaging apps are inadvertently downloading this severe threat.

Discovered on MalwareBazaar on April 8, 2026, the malicious MSI file masquerades as a legitimate Chinese language update for the Telegram application. By leveraging an uncommon ZPAQ-based packer and abusing signed binaries from major tech companies, the attackers successfully deploy a kernel-mode rootkit. This allows them to maintain the illusion of a standard software installation while compromising the host machine.

The attackers use a meticulously crafted sequence to transition from a benign-looking installer to a fully persistent system compromise. This process is designed to evade detection at every step.

1. Archive Extraction: The MSI installer uses VBScript and PowerShell to reconstruct and decrypt hidden archives, invoking the zpaqfranz utility to extract a password-protected inner payload.
2. Antivirus Evasion: The script queries Windows Management Instrumentation (WMI) to detect Chinese consumer antivirus processes, such as 360 Safe or Tencent PC Manager.
3. Payload Delivery: Depending on the active security software, the malware either drops directly into the Windows directory or initiates a DLL sideloading chain.
4. Command and Control: The ValleyRAT payload launches, establishing a connection to its C2 server while loading a Bring Your Own Vulnerable Driver (BYOVD) rootkit.
5. Kernel Exploitation: Using a vulnerable Wincor Nixdorf BIOS driver (wnBios.sys), the attackers gain raw physical memory access to disable kernel security features.
6. Illusion Maintenance: To avoid suspicion, the installer triggers a legitimate Telegram URI (tg://setlanguage?lang=classic-zh-cn), successfully applying the requested language pack.

Silver Fox strategically avoids common compression tools like 7-Zip or WinRAR, opting instead for the signed zpaqfranz binary. This low-profile tool acts as a Living-off-the-Land Binary (LOLBin), allowing the extraction process to evade endpoint detection rules that monitor standard archive utilities. The use of this specific packer is a calculated move to bypass signature-based detection.

If the system runs specific antivirus software, the malware pivots to abuse a signed ByteDance elevation service (SodaMusicLauncher.exe). By sideloading malicious DLLs into this trusted, allowlisted process, the attackers achieve code execution without triggering alarms. This technique is particularly effective on Chinese-market systems where these applications are inherently trusted.

Security teams must proactively hunt for these specific Indicators of Compromise (IOCs) to prevent ValleyRAT infections. Defenders should immediately block the active command-and-control infrastructure and monitor for unexpected executions of the zpaqfranz.exe process.

# Block C2 IP Addresses
118.107.43.65
118.107.40.0/21

# Hunt for Suspicious Processes
GjdLUhqZIJJB.exe
SingMusice.exe
DesignAccent.exe

Administrators should also audit their environments for any kernel driver load paths referencing the vulnerable wnBios 1.2.0.0 driver. Implementing strict application control policies can help mitigate the risk of unauthorized DLL sideloading.

The deployment of the ValleyRAT malware via a fake Telegram installer highlights a critical shift in how threat actors bypass modern endpoint protection. By combining an obscure compression tool with a vulnerable BIOS driver, Silver Fox demonstrates a deep understanding of how to exploit the blind spots in consumer antivirus software. This level of sophistication indicates a well-resourced group that continuously refines its evasion techniques.

The decision to actually apply the Telegram language pack at the end of the infection chain is particularly insidious. This psychological manipulation ensures the user remains completely unaware of the compromise, granting the attackers persistent, kernel-level access. This access can then be used to harvest data or deploy secondary payloads, such as the DesignAccent.exe process, for steganographic communication.