VERY IMPORTANT

A sophisticated cyber campaign targeting Chinese individuals in the FinTech, cryptocurrency exchange, and trading platform sectors has been uncovered. The operation uses spear-phishing emails with malicious .LNK files embedded in fake resumes. When executed, these files initiate a multi-stage infection process, ultimately deploying ValleyRAT malware. The malware establishes persistence through scheduled tasks, performs system reconnaissance, and exfiltrates sensitive data. The campaign's infrastructure is primarily hosted in Hong Kong, with multiple domains using the .work TLD to impersonate job portals. The attackers employ various techniques to evade detection, including anti-VM checks and attempts to disable antivirus software.