{ "id": "73d20f8f-1db5-4ac4-99c2-a6384c8ecb23", "created_at": "2026-04-06T00:14:09.163646Z", "updated_at": "2026-04-10T03:29:07.022349Z", "deleted_at": null, "sha1_hash": "4c7e7cf8c5f4a0edc17653a0ac37e33e2fa23a2c", "title": "ValleyRAT – Malware Trends Tracker by ANY.RUN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69604, "plain_text": "ValleyRAT – Malware Trends Tracker by ANY.RUN\r\nBy Stanislav Gayvoronsky\r\nArchived: 2026-04-05 23:15:11 UTC\r\nWhat is Valley RAT malware?\r\nValleyRAT is a C++-based RAT first identified in early 2023. It is associated with the Silver Fox advanced\r\npersistent threat (APT) group, a suspected China-based threat actor.\r\nIt stands out of the plenty of RATs for its multi-stage infection chain, heavy reliance on shellcode for execution,\r\nand a focus on espionage and data theft. It is designed to infiltrate systems, maintain persistence, and provide\r\nattackers with extensive remote control. Including the ability to monitor activities, steal data, and deploy\r\nadditional malicious plugins.\r\nValleyRAT employs a variety of distribution methods: phishing and spear-phishing emails, compromised websites,\r\nsocial engineering via instant messengers, fake downloads and DLL hijacking. For the initial infection, a loader\r\ndisguised as a legitimate file is used, which triggers a multi-stage process to deploy the full payload discreetly.\r\nThe loader executes shellcode directly in memory thus minimizing its disk footprint and visibility to file-based\r\ndetection tools.\r\nOnce rooted in the system, ValleyRAT provides attackers with its remote control (including keyboard, mouse,\r\nscreen interaction via WinSta0), allows data exfiltration, file execution, and additional plugin deployment.\r\nScreenshot capture, keylogging, and activity monitoring are also performed.\r\nGet started today for free\r\nAnalyze malware and phishing in a fully-interactive sandbox\r\nCreate free account\r\nValleyRAT Ransomware’s Prominent Features\r\nTargeted Espionage: It focuses on high-value roles in finance, accounting, sales, and management,\r\nparticularly within Chinese enterprises, to steal sensitive corporate data for financial fraud or insider\r\nthreats.\r\nPhased Deployment: (loader → shellcode → C2 → payload) of ValleyRAT is more complex than many\r\nsingle-stage RATs, enhancing stealth.\r\nExpanded Attack Surface: By exploiting gaming software and other non-traditional vectors, it broadens\r\nits reach beyond typical enterprise targets.\r\nPersistent Access: ensures long-term control, enabling prolonged espionage campaigns.\r\nhttps://any.run/malware-trends/valleyrat\r\nPage 1 of 4\n\nGeopolitical Implications: Linked to the Silver Fox APT, ValleyRAT aligns with state-sponsored tactics,\r\nsuggesting potential use in cyber warfare or intelligence gathering against Chinese-speaking regions.\r\nValleyRAT Execution Process and Technical Details\r\nThe complicated behavior of ValleyRAT is observable in ANY.RUN’s Interactive Sandbox. Let’s explore its\r\nprocesses, IOCs, connections, and other activities.\r\nView sandbox analysis\r\nDuring the first stages, ValleyRAT may employ techniques such as DLL sideloading and exploiting legitimate\r\nsigned executables that are vulnerable to DLL search order hijacking. Additionally, process injection is used to\r\ninject malicious code into processes like svchost.exe. This allows ValleyRAT to execute its payload, which may\r\ninclude shellcode that decrypts an encrypted PE file in memory for execution without leaving traces on the disk.\r\nThe payload also includes hooks to bypass security mechanisms like AMSI (Antimalware Scan Interface) and\r\nETW (Event Tracing for Windows).\r\nTo ensure persistence, ValleyRAT modifies registry settings under\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run or, in our analysis, in the startup directory\r\n%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ by using the Windows Command Shell\r\n(CMD). It also stores files in directories such as C:\\ProgramData. Once established, ValleyRAT communicates\r\nwith its Command-and-Control (C2) server using UDP or TCP protocols. The commands supported by ValleyRAT\r\ninclude capturing screenshots, executing files or DLLs, setting startup configurations, filtering processes, and\r\nclearing event logs.\r\nTo avoid running multiple instances of itself, the malware creates mutexes. In our case, the mutex \" V‰°5i™þ«\"\r\ncontains non-standard characters.\r\nIt abuses Windows COM interfaces (e.g., CMSTPLUA, fodhelper.exe) to bypass User Account Control (UAC)\r\nand gain elevated privileges, often adjusting its security token to SeDebugPrivilege for deeper system access.\r\nValleyRAT employs multiple stealth mechanisms to evade detection. These include anti-VM checks to detect\r\nVMware environments and avoid analysis, as well as keylogging and screen monitoring capabilities to log\r\nkeystrokes and collect screen data for remote control. Additionally, ValleyRAT injects DLLs into critical processes\r\nto prevent security applications from launching. This multi-layered execution chain highlights ValleyRAT’s ability\r\nto infiltrate systems stealthily while maintaining persistence and evading detection.\r\nValleyRAT analysis in ANY.RUN ValleyRAT sample analysis inside ANY.RUN's Interactive Sandbox\r\nIts famous arsenal of evasion tactics includes:\r\nMemory-Based Execution: It heavily relies on shellcode executed in memory rather than writing files to\r\ndisk, reducing its traceable footprint.\r\nProcess Injection: By injecting malicious code into legitimate processes, it masks its activities within\r\nnormal system operations.\r\nhttps://any.run/malware-trends/valleyrat\r\nPage 2 of 4\n\nSleep Obfuscation: It uses sleep routines to alter memory permissions, evading memory scanners and\r\nsandbox analysis.\r\nEncryption: Shellcode is encrypted (e.g., XOR with keys like 0x27 or AES-256), making it harder for\r\nsignature-based tools to identify.\r\nAnti-VM and Sandbox Checks: It terminates if it detects virtualized environments or common analysis\r\ntools (e.g., VMware, WeChat/DingTalk registry checks as a kill switch).\r\nSecurity Tool Disruption: ValleyRAT targets antivirus processes (e.g., Qihoo’s ZhuDongFangYu) for\r\ntermination and modifies registry settings or Windows Defender exclusions to disable defenses.\r\nLegitimate Tool Abuse: It leverages trusted Windows utilities (e.g., MSBuild.exe) and signed executables\r\nto blend in with normal activity.\r\nWhat are the examples of the best-known ValleyRAT attacks?\r\nWhile specific attacks are not always publicly detailed with victim identities due to the sensitive nature of\r\nespionage-driven attacks, cybersecurity researchers have documented key campaigns that highlight ValleyRAT’s\r\nsuccess in infiltrating systems, evading detection, and achieving its objectives.\r\n1. Impersonation of Chinese Telecom Companies (2024): Attackers created fraudulent websites mimicking\r\nlegitimate Chinese telecom firms to distribute ValleyRAT. It employed DLL hijacking, utilizing legitimate\r\ngame-related binaries to execute its payload stealthily. Users downloaded malicious software, leading to\r\nsystem compromises.\r\n2. Targeted Attacks on Chinese-Speaking Enterprises (August 2024): A campaign aimed at Chinese-speaking users of companies in e-commerce, finance, sales, and management sectors.\r\n3. Resume-Themed PDF Campaign (May 2023): Victims received PDFs mimicking job resumes, which,\r\nwhen opened, directed users to download ValleyRAT via malicious URLs. The RAT was deployed\r\nalongside a Rust-based loader, enhancing its stealth and delivery efficiency. This campaign successfully\r\ntargeted high-value individuals, likely in corporate environments. The use of PDFs broadened its attack\r\nsurface beyond traditional executable files, catching security systems off-guard.\r\n4. Trojanized Medical Imaging Software in Healthcare Sector (February 2025): The Silver Fox APT\r\ngroup embedded ValleyRAT within counterfeit versions of Philips DICOM viewer software.\r\n5. Fake Chrome Download Campaign (February 2025): Victims downloaded a ZIP archive containing\r\n“Setup.exe,” which sideloaded malicious DLLs (e.g., “tier0.dll” from Valve games, “sscronet.dll”) via\r\nlegitimate executables like Douyin.exe. ValleyRAT then logged keystrokes, monitored screens, and\r\nestablished C2 communication, using Donut shellcode for in-memory execution.\r\nThe latter campaign’s reuse of URLs, gaming software exploitation, and focus on key organizational roles\r\ndemonstrated Silver Fox’s strategic shift toward both wider and more precise targeting, cementing ValleyRAT’s\r\nreputation as a versatile RAT.\r\nGathering threat intelligence on ValleyRAT malware\r\nIt would be a painful challenge to scrape ValleyRAT out of your system considering its persistence and evasion\r\n“talents”. And, of course, losses calculation and mitigation would be even more painful. So, it’s much better not to\r\ninvite the digital culprit in.\r\nhttps://any.run/malware-trends/valleyrat\r\nPage 3 of 4\n\nUse threat intelligence to study and recognize ValleyRAT TTPs, and to gather IOCs, IOAs, and IOBs for tuning\r\nyour monitoring and detection systems. You can also leverage ANY.RUN’s TI Feeds to be updated with the new\r\nValleyRAT’s identificators automatically.\r\nValleyRAT has a habit of reusing the same URLs or IP addresses across campaigns, and besides, it often employs\r\nunique mutexes. Address ANY.RUN’s Threat Intelligence Lookup and start your research with malware’s name:\r\nthreatName:\"valleyrat\"\r\nValleyRAT search results in TI Lookup _ ValleyRAT samples in ANY.RUN’s Sandbox_\r\nValleyRAT often leaves byte patterns that can be matched by custom or shared YARA rules. Suricata rules are also\r\nof much help in detecting the trojan’s malicious processes. This is what the detalization of such process looks like\r\nin TI Lookup:\r\nValleyRAT process detailed Details on ValleyRAT actions in the system\r\nIntegrate ANY.RUN’s threat intelligence solutions in your company\r\nContact us\r\nConclusion\r\nValleyRAT is an example of modern malware evolution, blending traditional RAT functionality with advanced\r\nevasion and persistence tactics. Its danger lies in its ability to quietly infiltrate networks, target valuable data, and\r\nmaintain long-term access. Countering it demands a blend of cutting-edge detection tools, robust threat\r\nintelligence, and proactive security measures to stay ahead of its cunning Silver Fox operators.\r\nThough it did start as a threat for Chinese enterprise and users, now, if you are on the opposite side of the world\r\nfrom China, you are not safe. APTs’ appetites always grow, so be ready and proactive against ValleyRAT.\r\nGather IOCs on ValleyRAT with 50 trial requests in TI Lookup\r\nSource: https://any.run/malware-trends/valleyrat\r\nhttps://any.run/malware-trends/valleyrat\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://any.run/malware-trends/valleyrat" ], "report_names": [ "valleyrat" ], "threat_actors": [ { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434449, "ts_updated_at": 1775791747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c7e7cf8c5f4a0edc17653a0ac37e33e2fa23a2c.pdf", "text": "https://archive.orkl.eu/4c7e7cf8c5f4a0edc17653a0ac37e33e2fa23a2c.txt", "img": "https://archive.orkl.eu/4c7e7cf8c5f4a0edc17653a0ac37e33e2fa23a2c.jpg" } }