{"id":8626,"date":"2024-08-20T09:51:54","date_gmt":"2024-08-20T09:51:54","guid":{"rendered":"\/cybersecurity-blog\/?p=8626"},"modified":"2024-08-20T09:52:19","modified_gmt":"2024-08-20T09:52:19","slug":"new-valleyrat-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/","title":{"rendered":"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0"},"content":{"rendered":"\n<p>A sophisticated campaign is targeting Chinese-speaking users, <a href=\"https:\/\/thehackernews.com\/2024\/08\/multi-stage-valleyrat-targets-chinese.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">distributing<\/a> a malware known as ValleyRAT.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What&#8217;s happening?&nbsp;<\/h2>\n\n\n\n<p>There\u2019s a new campaign spreading a multi-stage threat designed to monitor and control infected systems while deploying additional plugins to cause further damage.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key components of the campaign:<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-140\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"140\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Component\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Details\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Target\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Chinese-speaking users\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Attack Method\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Email messages with URLs pointing to compressed executables\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Malware\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ValleyRAT\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Affected systems\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-140'>\ntable#wpdtSimpleTable-140{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-140 td, table.wpdtSimpleTable140 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>ValleyRAT employs a range of techniques to evade detection, including the use of shellcode to execute its components directly in <a href=\"https:\/\/blog-adm.susp.io\/cybersecurity-blog\/fileless-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">memory<\/a>, minimizing its footprint on the victim\u2019s system. The campaign initially came to light in June 2024, with the latest iteration featuring enhanced capabilities for persistence and privilege escalation.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze <span class=\"highlight\">ValleyRAT<\/span> and other malware in ANY.RUN sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=valleyrat_campaign&#038;utm_term=200824&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Breaking down the attack chain&nbsp;<\/h2>\n\n\n\n<p>The attack begins with a first-stage loader disguised as legitimate applications like Microsoft Office, using filenames such as &#8220;\u5de5\u5546\u5e74\u62a5\u5927\u5e08.exe&#8221; or &#8220;\u8865\u5355\u5bf9\u63a5\u66f4\u65b0\u8bb0\u5f55txt.exe&#8221; to appear non-threatening. When launched, the executable drops a decoy document and loads shellcode that advances the attack to the next stage.&nbsp;<\/p>\n\n\n\n<p>This shellcode initiates communication with a command-and-control (C2) server, downloading two critical components: RuntimeBroker and RemoteShellcode. These components are responsible for setting persistence on the host, gaining administrator privileges through exploitation techniques, and further escalating privileges by abusing legitimate binaries like fodhelper.exe and the CMSTPLUA COM interface.&nbsp;<\/p>\n\n\n\n<p>RuntimeBroker\u2019s primary task is to retrieve another loader from the C2 server, which repeats the initial infection process while performing additional checks to determine if it is running in a sandbox. It also scans the Windows Registry for keys related to apps like Tencent WeChat and Alibaba DingTalk, reinforcing the notion that ValleyRAT is specifically targeting Chinese systems.&nbsp;<\/p>\n\n\n\n<p>RemoteShellcode is configured to fetch the ValleyRAT downloader, which uses network protocols like UDP or TCP to connect to the C2 server and receive the final payload. ValleyRAT, attributed to the Silver Fox threat group, is a fully-featured backdoor capable of remotely controlling compromised systems, taking screenshots, executing files, and loading additional plugins.<\/p>\n\n\n\n<p>Remote Shellcode, on the other hand, is responsible for fetching the ValleyRAT downloader, which then uses network protocols to connect to the server and receive the final payload.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing ValleyRAT in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/bd4926c1-eb84-44f7-8ce3-89d055cb3023\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=valleyrat_campaign&amp;utm_term=200824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">ValleyRAT<\/a> can be analyzed in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=valleyrat_campaign&amp;utm_term=200824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a>, a powerful tool that provides detailed insights into the malware&#8217;s behavior.\u00a0\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-1024x565.png\" alt=\"\" class=\"wp-image-8628\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new-740x408.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_new.png 1845w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ValleyRAT analyzed in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox analysis shows that the MSBuild.exe executed with a command line pointing to the file.exe located in the Temp directory. <\/p>\n\n\n\n<p>Legitimate programs often use MSBuild.exe, a Microsoft build engine, to compile and build projects, especially those developed using .NET Framework. <\/p>\n\n\n\n<p>In a malicious context, the use of MSBuild.exe indicates an attempt to hide malicious activities within a seemingly legitimate process.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-1024x577.png\" alt=\"\" class=\"wp-image-8629\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-1536x866.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/valley_two.png 1826w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Details of the ValleyRAT&#8217;s CnC activity<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox also provides information on ValleyRAT&#8217;s command-and-control (C2) server communication detected by a <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata<\/a> IDS rule.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry all features of <span class=\"highlight\">ANY.RUN<\/span> sandbox with a 14-day trial&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=valleyrat_campaign&#038;utm_term=200824&#038;utm_content=linktodemo\/\" rel=\"noopener\" target=\"_blank\">\nRequest free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. <\/p>\n\n\n\n<p>Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=valleyrat_campaign&amp;utm_term=200824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.\u00a0\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collaborate with your team&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale as you need.\u00a0<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=valleyrat_campaign&amp;utm_term=200824&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192\u00a0<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A sophisticated campaign is targeting Chinese-speaking users, distributing a malware known as ValleyRAT.\u00a0 What&#8217;s happening?&nbsp; There\u2019s a new campaign spreading a multi-stage threat designed to monitor and control infected systems while deploying additional plugins to cause further damage.&nbsp; Key components of the campaign: ValleyRAT employs a range of techniques to evade detection, including the use [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":8640,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,15,34,40],"class_list":["post-8626","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about a new malicious campaign targeting Chinese-speaking users and distributing a malware known as ValleyRAT.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0\",\"datePublished\":\"2024-08-20T09:51:54+00:00\",\"dateModified\":\"2024-08-20T09:52:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/\"},\"wordCount\":602,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/\",\"name\":\"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-08-20T09:51:54+00:00\",\"dateModified\":\"2024-08-20T09:52:19+00:00\",\"description\":\"Learn about a new malicious campaign targeting Chinese-speaking users and distributing a malware known as ValleyRAT.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about a new malicious campaign targeting Chinese-speaking users and distributing a malware known as ValleyRAT.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0","datePublished":"2024-08-20T09:51:54+00:00","dateModified":"2024-08-20T09:52:19+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/"},"wordCount":602,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/","url":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/","name":"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-08-20T09:51:54+00:00","dateModified":"2024-08-20T09:52:19+00:00","description":"Learn about a new malicious campaign targeting Chinese-speaking users and distributing a malware known as ValleyRAT.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/new-valleyrat-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"New ValleyRAT Campaign Spotted with Advanced Techniques\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8626"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8626"}],"version-history":[{"count":4,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8626\/revisions"}],"predecessor-version":[{"id":8644,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8626\/revisions\/8644"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8640"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}