{
	"id": "9dc0bd47-afc2-4328-9324-2c49a06418d9",
	"created_at": "2026-04-06T02:12:12.405618Z",
	"updated_at": "2026-04-10T03:24:16.977462Z",
	"deleted_at": null,
	"sha1_hash": "4e390b5408fc4e20cf5fa1f36baabc551933cf6e",
	"title": "Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 609029,
	"plain_text": "Chinese Malware Appears in Earnest Across Cybercrime Threat\r\nLandscape | Proofpoint US\r\nBy September 20, 2023 Proofpoint Threat Research Team\r\nPublished: 2023-09-13 · Archived: 2026-04-06 01:38:14 UTC\r\nKey Takeaways\r\nProofpoint has observed an increase in activity from specific malware families targeting Chinese-language\r\nspeakers.\r\nCampaigns include Chinese-language lures and malware typically associated with Chinese cybercrime\r\nactivity.\r\nNewly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity,\r\nwhile Sainbox RAT and related variants are recently active as well.\r\nThe increase in Chinese language malware activity indicates an expansion of the Chinese malware\r\necosystem, either through increased availability or ease of access to payloads and target lists, as well as\r\npotentially increased activity by Chinese speaking cybercrime operators.  \r\nOverview\r\nSince early 2023, Proofpoint observed an increase in the email distribution of malware associated with suspected\r\nChinese cybercrime activity. This includes the attempted delivery of the Sainbox Remote Access Trojan (RAT) – a\r\nvariant of the commodity trojan Gh0stRAT – and the newly identified ValleyRAT malware. After years of this\r\nmalware not appearing in Proofpoint threat data, its appearance in multiple campaigns over the last six months is\r\nnotable. \r\nThe phrase “Chinese-themed” is used to describe any of the observed content related to this malicious activity,\r\nincluding lures, malware, targeting, and any metadata that contains Chinese language usage. Campaigns are\r\ngenerally low-volume and are typically sent to global organizations with operations in China. The email subjects\r\nand content are usually written in Chinese, and are typically related to business themes like invoices, payments,\r\nand new products. The targeted users have Chinese-language names spelled with Chinese-language characters, or\r\nspecific company email addresses that appear to align with businesses' operations in China. Although most\r\ncampaigns have targeted Chinese speaking users, Proofpoint observed one campaign targeting Japanese\r\norganizations, suggesting a potential expansion of activity. \r\nThese recently identified activity clusters have demonstrated flexible delivery methods, leveraging both simple\r\nand moderately complex techniques. Commonly, the emails contain URLs linking to compressed executables that\r\nare responsible for installing the malware. However, Proofpoint has also observed Sainbox RAT and ValleyRAT\r\ndelivered via Excel and PDF attachments containing URLs linking to compressed executables. \r\nProofpoint researchers assess those multiple campaigns delivering Sainbox RAT and ValleyRAT contain some\r\nsimilar tactics, techniques, and procedures (TTPs). However, research into additional activity clusters utilizing\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 1 of 12\n\nthese malwares demonstrate enough variety in infrastructure, sender domains, email content, targeting, and\r\npayloads that researchers currently conclude that all use of these malwares and associated campaigns are not\r\nattributable to the same cluster, but likely multiple distinct activity sets. \r\nThe emergence and uptick of both novel and older Chinese-themed malware demonstrates a new trend in the\r\noverall 2023 threat landscape. A blend of historic malware such as Sainbox – a variant of the older Gh0stRAT\r\nmalware – and the newly uncovered ValleyRAT may challenge the dominance that the Russian-speaking\r\ncybercrime market has on the threat landscape. However, the Chinese-themed malware is currently mostly\r\ntargeted toward users that likely speak Chinese. Proofpoint continues to monitor for evidence of increasing\r\nadoption across other languages. \r\nFor network defenders, we include several indicators of compromise and Emerging Threats detections to provide\r\nthe community with the ability to cover these threats.\r\nCampaign Details \r\nProofpoint has observed over 30 campaigns in 2023 leveraging malware typically associated with Chinese\r\ncybercrime activity. Nearly all lures are in Chinese, although Proofpoint has also observed messages in Japanese\r\ntargeting organizations in that country. \r\nGh0stRAT / Sainbox\r\nProofpoint has observed an increase in a variant of Gh0stRAT Proofpoint researchers refer to as Sainbox. Sainbox\r\nwas first identified by Proofpoint in 2020 and is referred to as FatalRAT by third-party researchers. Since April\r\n2023, Proofpoint has identified nearly 20 campaigns delivering Sainbox after being completely absent from the\r\nemail threat landscape for years. \r\nGh0stRAT is a RAT that was first observed in 2008. The builder for this RAT is available online. The source code\r\nis also publicly available and various modifications have been made to Gh0stRAT over the years by multiple\r\nauthors and threat actors, including forked variants like Sainbox. Proofpoint has also observed a handful of\r\nChinese language campaigns in 2023 delivering older Gh0stRAT variants.\r\nNearly all the observed Sainbox campaigns used invoice themed lures which spoofed Chinese office and invoicing\r\ncompanies. The emails were typically sent from Outlook or other freemail email addresses and contained URLs,\r\nor Excel attachments containing URLs, that linked to a zipped executable that installed Sainbox. \r\nFor example, on 17 May 2023, Proofpoint observed a campaign targeting dozens of companies, the majority of\r\nwhich included those in the manufacturing and technology sectors. Emails purported to be:\r\nFrom: \"友发票 \" \u003clwplbh@cluedk[.]com\u003e (Machine translation: “UF Invoice”)\r\nWith Subject: 《发票信息》(Machine translation: “Invoice Information”)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 2 of 12\n\nFigure 1: Email sample from 17 May 2023 delivering Sainbox. \r\nThese emails contained a URL which linked to a zipped executable, “26866498.exe”. If executed, it led to the\r\ninstallation of Sainbox RAT associated with the command and control (C2) “fakaka16[.]top:3366.” Proofpoint\r\nobserved nearly 10 Sainbox RAT campaigns where the C2 had variations of “fakaka” in the domain, sometimes\r\nending in a number increasing in sequential order. Additionally, “Jiangsu Bangning Science \u0026 Technology Co.\r\nLtd” is responsible for the registration of several C2 domains associated with this actor starting with fakaka9[.]top\r\nin March 2023. \r\nThe majority of Sainbox RAT campaigns occurred between December 2022 and May 2023. Retrospective analysis\r\nof identified campaigns uncovered one more campaign in Proofpoint data using similar TTPs in April 2022.\r\nProofpoint continues to see additional campaigns associated with this activity cluster in August 2023.\r\nPurple Fox\r\nThe malware component of Purple Fox has been available since at least 2018. It is delivered via various methods,\r\nincluding historically via the Purple Fox Exploit Kit. In recent years, public reporting identified examples of\r\nPurple Fox malware delivery that was masquerading as legitimate application installers. \r\nProofpoint identified at least three campaigns delivering Purple Fox. While historic activity aligns with what\r\nProofpoint considers Chinese-themed, it is rarely observed in our threat data. Notably, one observed campaign\r\nused Japanese language invoice themes targeting organizations in Japan to deliver zipped LNK attachments that\r\nled to the installation of Purple Fox, while others used Chinese language invoice themed messages with URLs\r\nleading to Purple Fox.\r\nProofpoint does not attribute all the Chinese-themed malware campaigns to the same threat actor at this time, but\r\nsome activity clusters do overlap, suggesting threat actors may be using the same infrastructure to deliver multiple\r\nmalware families.\r\nA New Malware Joins the Fray\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 3 of 12\n\nValleyRAT\r\nIn March 2023, Proofpoint identified a new malware we dubbed ValleyRAT. The campaigns distributing this\r\nmalware were conducted in Chinese, and, following the trend of other Chinese malware campaigns, the majority\r\nused invoice themes related to various Chinese businesses. In 2023, Proofpoint has observed at least six\r\ncampaigns delivering ValleyRAT malware. \r\nThe first campaign was observed on 21 March 2023. Emails contained a URL that led to a zipped executable that\r\ndownloaded the ValleyRAT payload. Subsequent campaigns contained similar TTPs including using freemail\r\nsenders such as Outlook, Hotmail and WeCom to deliver URLs leading to the installation of ValleyRAT. However,\r\nin at least one campaign, the RAT was delivered via a Rust language-based loader still currently under\r\ninvestigation. The loader additionally downloaded a legitimate tool, EasyConnect in addition to a trojanized DLL\r\nthat the tool would load and execute via DLL search order high jacking. EasyConnect is an SSL VPN appliance\r\nthat enables remote access and management of Windows hosts. Subsequent campaigns in June 2023 included the\r\nsame TTPs. \r\nValleyRAT was first publicly reported on by the Chinese cybersecurity firm Qi An Xin earlier this year. \r\nWhile most of the campaigns used invoice themed lures, Proofpoint observed one outlier campaign on 24 May\r\n2023 that used resume-themed PDFs containing URLs that, if clicked, downloaded a remote, zipped payload to\r\ninstall ValleyRAT. \r\nFigure 2: PDF lure used to deliver ValleyRAT. \r\nAnalysis of the newly observed ValleyRAT indicates the possibility that one group is behind both the new\r\nmalware campaigns and the resurgence of the older Purple Fox and Sainbox malware, but the timing may be\r\ncoincidental rather than directly attributable. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 4 of 12\n\nMalware Analysis\r\nValleyRAT initially begins by searching for the existence of the directory \"C:\\Program Files\\VMware\\VMware\r\nTools\" on the victim machine. It then proceeds to search for specific processes within that directory:\r\n\"VMwareService.exe\", \"VMwareTray.exe\", and \"VMwareUser.exe\". The next step involves a check to see if the\r\ncomputer is part of the \"WORKGROUP\" or not. It then performs a check on the total physical memory to\r\ndetermine if it is below the threshold of 1,173,624,064 bytes. Finally, the program checks if the size of the hard\r\ndisk drive (HDD) is below 110GB, these checks are basic virtualization or emulation checks to attempt to identify\r\nif the payload is being executed within in a virtual environment.\r\nValleyRAT is a RAT written in C++, compiled in Chinese and demonstrates the functionalities of a typically basic\r\nRAT. The following table is an overview of the commands that are currently implemented in what Proofpoint\r\nassess is version 3.0 of ValleyRAT, an assessment derived from a “version” number that returns a 3.0 string value.\r\nWhen the system information packet is sent, the C2 replies with command packets. It currently has the following\r\ncommands implemented:\r\nCommand Description\r\n0x00\r\nPlugin cleanup, and get system's process list. Client replies with a\r\nSTRUCT_PACKET_PROCESS_LIST structure.\r\n0x01\r\nReply with STRUCT_PACKET_0x02 structure, that contains the exact data originally sent to\r\nthe Client. This is probably implemented as anti-bot verification or as a PING→PONG packet.\r\n0x02 Drops and executes a DLL\r\n0x04 Drops and executes a DLL (Second Method)\r\n0x05 Plugin cleanup, replays with a STRUCT_PACKET_0x05 structure.\r\n0x06 Get system's process list. Client replies with a STRUCT_PACKET_PROCESS_LIST structure.\r\n0x07 Drops and executes any type of file (document, image, etc)\r\n0x08 Downloads and executes an executable file.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 5 of 12\n\n0x09 Sets the Client to start at system startup.\r\n0x0A Sets the \"BEIZHU\" (\"remark\") or \"FENZU\" (\"subgroup\") registry keys.\r\n0x64 Stops the client, without terminating the process.\r\n0x65 Starts the client\r\nTable 1: ValleyRAT commands and associated descriptions.\r\nPacket Process List\r\nFigure 3: Structure which defines the content of a packet sent to the C2 to describe running processes, window\r\nnames, etc. \r\nFigure 4: Structure which defines the content of a packet sent to the C2 to indicate a plugin has been cleaned up.\r\nCommunication Protocol\r\nThe malware uses raw sockets with a custom protocol to communicate with the C2 (see Figure 7 for packet\r\nencoding). Before receiving any commands from the Server, the Client announces itself by sending a packet\r\ncontaining system information, formatted in the following structure:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 6 of 12\n\nFigure 5: Structure which defines the content of the initial system information beacon that it sends to the C2 to\r\nidentify a newly infected victim.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 7 of 12\n\nFigure 6: Network Decoding Algorithm. \r\nSystemID Generation Algorithm\r\nValleyRAT generates an MD5 digest of the following values: OS Info, Kernel Version, CPU Name, Architecture,\r\nIsAdmin, Hardware Profile GUID to use as a System Identifier (SystemID). Below is a reimplementation of this\r\nin Python.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 8 of 12\n\nFigure 7: SystemID generation.\r\nConclusion\r\nFor over a decade, Gh0stRAT and related variants have been consistently exploited in various circles. Proofpoint\r\nrecently observed a minor resurgence in the use of Sainbox and other Chinese-themed malware, piquing the\r\ninterest of analysts who can assess the broader impact of older malware. With this resurgence, the questions arise:\r\nis the impact of older malware easier to detect due to its age? Does mature detection always mean mature\r\nsecurity? Based on Proofpoint’s analysis, the answer is not necessarily, as older malware can still be effective,\r\nespecially when threat actors constantly change tactics by rotating IPs, domains, encoding, and obfuscation.\r\nConsequently, even though these malware families are not new, organizations cannot afford to underestimate the\r\nrisk they pose.\r\nProofpoint research suggests that this activity does not seem to be related to a single entity but rather appears to be\r\na cluster of activities based on temporal patterns. The appearance of ValleyRAT alongside the older families hints\r\nat the possibility of their relation in terms of timing. Proofpoint anticipates ValleyRAT will be used more\r\nfrequently in the future.  \r\nRaising awareness in 2023 about the reappearance of these threats serves as an informational bulletin for the\r\ncommunity. While new and sophisticated threats seemingly dominate the daily threat landscape, it is essential to\r\nmaintain a balanced perspective by acknowledging seemingly less significant risks that persist. Despite being\r\nneither new nor advanced, Sainbox RAT still poses a threat in 2023, and ValleyRAT is an emerging threat in this\r\nspace. \r\nEmerging Threats Signatures\r\n2045774 - ET INFO Observed URL Shortening Service Domain in DNS Lookup (dwz .mk)\r\n2045775 - ET INFO Observed URL Shortening Service Domain (dwz .mk in TLS SNI)\r\n2854367 - ETPRO MALWARE Win32/ValleyRat CnC Activity (GET) M1\r\n2854368 - ETPRO MALWARE Win32/ValleyRat CnC Activity (GET) M2\r\n2854369 - ETPRO MALWARE Win32/ValleyRat CnC Activity via tcp Outbound\r\n2854370 - ETPRO MALWARE Win32/ValleyRat CnC Activity via tcp Inbound \r\n2854371 - Suspicious User-Agent in HTTP Request (GameInfo)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 9 of 12\n\n2044739 - ET INFO Chinese CDN Domain in DNS Lookup (ctcontents .com) (info.rules)\r\nExample IOCs\r\nIndicator Description\r\nFirst\r\nObserved\r\nhxxp://rus3rcqtp[.]hn-bkt[.]clouddn[.]com/26866498[.]zip\r\nSainbox\r\nPayload\r\nURL\r\nMay-23\r\n0d133dde99d883274bf5644bd9e59af3c54c2b3c65f3d1bc762f2d3725f80582\r\nSainbox\r\nExecutable\r\nSHA256\r\nMay-23\r\nfakaka16[.]top:3366 Sainbox C2 May-23\r\nlwplbh@cluedk[.]com\r\nSainbox\r\nSender Email\r\nMay-23\r\n7f32ca98ce66a057ae226ec78638db95feebc59295d3afffdbf407df12b5bc79\r\nSainbox\r\nExecutable\r\nSHA256\r\nAug-23\r\nkakafa[.]top:3367 Sainbox C2 Aug-23\r\nq1045582630@qq[.]com\r\nSainbox\r\nSender Email\r\nAug-23\r\nhxxp://51fapiaoyun[.]com/%E5%8F%91-%E7%A5%A8[.]rar\r\nValleyRAT\r\nPayload\r\nURL\r\nMar-23\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 10 of 12\n\nhttp://124[.]220[.]35[.]63/laoxiang[.]exe\r\nValleyRAT\r\nPayload\r\nURL\r\nMar-23\r\ncjkmj@51fapiao[.]com\r\nValleyRAT\r\nSender Email\r\nMar-23\r\na48abe2847e891cfd6c18c7cdaaa8e983051bc2f7a0bd9ef5c515a72954e1715\r\nPDF Used to\r\nDeliver\r\nValleyRAT\r\nSHA256\r\nMay-23\r\na48abe2847e891cfd6c18c7cdaaa8e983051bc2f7a0bd9ef5c515a72954e1715\r\nValleyRAT\r\nExecutable\r\nMay-23\r\nC:\\Users\\77\\source\\repos\\Project8\\Debug\\Project8.pdb\r\nValleyRAT\r\nPDB File\r\nPath\r\nMay-23\r\nhxxps://drfs[.]ctcontents[.]com/file/40788929/860577489/\r\n0823d7/%E4%B8%AA%E4%BA%BA%E7%AE%80%E5%8E%862023[.]rar\r\nValleyRAT\r\nPayload\r\nURL\r\nMay-23\r\naa0035@zohomail[.]cn\r\nValleyRAT\r\nSender Email\r\nMay-23\r\nhxxp://ckj2[.]cn/R8F\r\nValleyRAT\r\nPayload\r\nURL\r\nMay-23\r\n4f01ffe98009a8090ea8a086d21c62c24219b21938ea3ec7da8072f8c4dcc7a6\r\nValleyRAT\r\nExecutable\r\nMay-23\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 11 of 12\n\nvip66@xqxayjrk101[.]wecom[.]work\r\nValleyRAT\r\nSender Email\r\nMay-23\r\nhxxps://zc1800[.]oss-cn-shenzhen[.]aliyuncs[.]com/piao\r\nValleyRAT\r\nPayload\r\nURL\r\nJun-23\r\nqdjvqvumsdw@hotmail[.]com\r\nValleyRAT\r\nSender Email\r\nJun-23\r\nhxxps://fhyhdf[.]oss-cn-hangzhou[.]aliyuncs[.]com/%E7%99%BC%E7%A5%A8[.]zip\r\nValleyRAT\r\nPayload\r\nURL\r\nJun-23\r\nkweffabibis0@outlook[.]com\r\nValleyRAT\r\nSender Email\r\nJun-23\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape\r\nPage 12 of 12\n\n2045774 2045775 - ET INFO Observed - ET INFO Observed URL Shortening URL Shortening Service Domain Service Domain in DNS Lookup (dwz .mk in (dwz .mk) TLS SNI)\n2854367 -ETPRO MALWARE Win32/ValleyRat CnC Activity (GET) M1\n2854368 -ETPRO MALWARE Win32/ValleyRat CnC Activity (GET) M2\n2854369 -ETPRO MALWARE Win32/ValleyRat CnC Activity via tcp Outbound\n2854370 -ETPRO MALWARE Win32/ValleyRat CnC Activity via tcp Inbound\n2854371 -Suspicious User-Agent in HTTP Request (GameInfo) \n   Page 9 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape"
	],
	"report_names": [
		"chinese-malware-appears-earnest-across-cybercrime-threat-landscape"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441532,
	"ts_updated_at": 1775791456,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e390b5408fc4e20cf5fa1f36baabc551933cf6e.pdf",
		"text": "https://archive.orkl.eu/4e390b5408fc4e20cf5fa1f36baabc551933cf6e.txt",
		"img": "https://archive.orkl.eu/4e390b5408fc4e20cf5fa1f36baabc551933cf6e.jpg"
	}
}