Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

ValleyRAT

116
Global rank
84 infographic chevron month
Month rank
88 infographic chevron week
Week rank
0
IOCs

ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.

RAT
Type
China
Origin
1 March, 2023
First seen
5 October, 2025
Last seen

How to analyze ValleyRAT with ANY.RUN

RAT
Type
China
Origin
1 March, 2023
First seen
5 October, 2025
Last seen

IOCs

IP addresses
206.119.167.236
108.187.7.84
45.205.28.70
156.239.14.156
134.122.204.72
45.197.144.130
154.219.96.137
103.86.47.221
154.39.252.130
202.79.171.36
108.187.6.98
23.140.244.250
112.196.218.9
154.91.226.8
150.5.145.84
45.119.55.125
47.115.94.234
122.10.111.75
103.140.238.246
198.44.250.72
Domains
home.wtt.ink
ggwk.cc
oqslpwgyxjfbxp.top
frp-arm.com
yvfei.253274554324.com
qq.yvfei7770.com
koadbzmlqiyr.cn
hdwyebwfvjs.cn
360news2.icu
ydbao6.cyou
qp.cnmnmb.top
ydbao8.cyou
dmoneii.com
longlq.cl
file.seek
kmhhla.top
youdaoselw.icu
kejishashasha.cn
helloworid.org
qqa.preech.top
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 2321
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 3271
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 3500
comments 0

What is Valley RAT malware?

ValleyRAT is a C++-based RAT first identified in early 2023. It is associated with the Silver Fox advanced persistent threat (APT) group, a suspected China-based threat actor.

It stands out of the plenty of RATs for its multi-stage infection chain, heavy reliance on shellcode for execution, and a focus on espionage and data theft. It is designed to infiltrate systems, maintain persistence, and provide attackers with extensive remote control. Including the ability to monitor activities, steal data, and deploy additional malicious plugins.

ValleyRAT employs a variety of distribution methods: phishing and spear-phishing emails, compromised websites, social engineering via instant messengers, fake downloads and DLL hijacking. For the initial infection, a loader disguised as a legitimate file is used, which triggers a multi-stage process to deploy the full payload discreetly.

The loader executes shellcode directly in memory thus minimizing its disk footprint and visibility to file-based detection tools.

Once rooted in the system, ValleyRAT provides attackers with its remote control (including keyboard, mouse, screen interaction via WinSta0), allows data exfiltration, file execution, and additional plugin deployment. Screenshot capture, keylogging, and activity monitoring are also performed.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

ValleyRAT Ransomware’s Prominent Features

  • Targeted Espionage: It focuses on high-value roles in finance, accounting, sales, and management, particularly within Chinese enterprises, to steal sensitive corporate data for financial fraud or insider threats.
  • Phased Deployment: (loader → shellcode → C2 → payload) of ValleyRAT is more complex than many single-stage RATs, enhancing stealth.
  • Expanded Attack Surface: By exploiting gaming software and other non-traditional vectors, it broadens its reach beyond typical enterprise targets.
  • Persistent Access: ensures long-term control, enabling prolonged espionage campaigns.
  • Geopolitical Implications: Linked to the Silver Fox APT, ValleyRAT aligns with state-sponsored tactics, suggesting potential use in cyber warfare or intelligence gathering against Chinese-speaking regions.

ValleyRAT Execution Process and Technical Details

The complicated behavior of ValleyRAT is observable in ANY.RUN’s Interactive Sandbox. Let’s explore its processes, IOCs, connections, and other activities.

View sandbox analysis

During the first stages, ValleyRAT may employ techniques such as DLL sideloading and exploiting legitimate signed executables that are vulnerable to DLL search order hijacking. Additionally, process injection is used to inject malicious code into processes like svchost.exe. This allows ValleyRAT to execute its payload, which may include shellcode that decrypts an encrypted PE file in memory for execution without leaving traces on the disk. The payload also includes hooks to bypass security mechanisms like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows).

To ensure persistence, ValleyRAT modifies registry settings under Software\Microsoft\Windows\CurrentVersion\Run or, in our analysis, in the startup directory %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ by using the Windows Command Shell (CMD). It also stores files in directories such as C:\ProgramData. Once established, ValleyRAT communicates with its Command-and-Control (C2) server using UDP or TCP protocols. The commands supported by ValleyRAT include capturing screenshots, executing files or DLLs, setting startup configurations, filtering processes, and clearing event logs.

To avoid running multiple instances of itself, the malware creates mutexes. In our case, the mutex " V‰°5i™þ«" contains non-standard characters.

It abuses Windows COM interfaces (e.g., CMSTPLUA, fodhelper.exe) to bypass User Account Control (UAC) and gain elevated privileges, often adjusting its security token to SeDebugPrivilege for deeper system access.

ValleyRAT employs multiple stealth mechanisms to evade detection. These include anti-VM checks to detect VMware environments and avoid analysis, as well as keylogging and screen monitoring capabilities to log keystrokes and collect screen data for remote control. Additionally, ValleyRAT injects DLLs into critical processes to prevent security applications from launching. This multi-layered execution chain highlights ValleyRAT’s ability to infiltrate systems stealthily while maintaining persistence and evading detection.

ValleyRAT analysis in ANY.RUN ValleyRAT sample analysis inside ANY.RUN's Interactive Sandbox

Its famous arsenal of evasion tactics includes:

  • Memory-Based Execution: It heavily relies on shellcode executed in memory rather than writing files to disk, reducing its traceable footprint.
  • Process Injection: By injecting malicious code into legitimate processes, it masks its activities within normal system operations.
  • Sleep Obfuscation: It uses sleep routines to alter memory permissions, evading memory scanners and sandbox analysis.
  • Encryption: Shellcode is encrypted (e.g., XOR with keys like 0x27 or AES-256), making it harder for signature-based tools to identify.
  • Anti-VM and Sandbox Checks: It terminates if it detects virtualized environments or common analysis tools (e.g., VMware, WeChat/DingTalk registry checks as a kill switch).
  • Security Tool Disruption: ValleyRAT targets antivirus processes (e.g., Qihoo’s ZhuDongFangYu) for termination and modifies registry settings or Windows Defender exclusions to disable defenses.
  • Legitimate Tool Abuse: It leverages trusted Windows utilities (e.g., MSBuild.exe) and signed executables to blend in with normal activity.

What are the examples of the best-known ValleyRAT attacks?

While specific attacks are not always publicly detailed with victim identities due to the sensitive nature of espionage-driven attacks, cybersecurity researchers have documented key campaigns that highlight ValleyRAT’s success in infiltrating systems, evading detection, and achieving its objectives.

  1. Impersonation of Chinese Telecom Companies (2024): Attackers created fraudulent websites mimicking legitimate Chinese telecom firms to distribute ValleyRAT. It employed DLL hijacking, utilizing legitimate game-related binaries to execute its payload stealthily. Users downloaded malicious software, leading to system compromises.
  2. Targeted Attacks on Chinese-Speaking Enterprises (August 2024): A campaign aimed at Chinese-speaking users of companies in e-commerce, finance, sales, and management sectors.
  3. Resume-Themed PDF Campaign (May 2023): Victims received PDFs mimicking job resumes, which, when opened, directed users to download ValleyRAT via malicious URLs. The RAT was deployed alongside a Rust-based loader, enhancing its stealth and delivery efficiency. This campaign successfully targeted high-value individuals, likely in corporate environments. The use of PDFs broadened its attack surface beyond traditional executable files, catching security systems off-guard.
  4. Trojanized Medical Imaging Software in Healthcare Sector (February 2025): The Silver Fox APT group embedded ValleyRAT within counterfeit versions of Philips DICOM viewer software.
  5. Fake Chrome Download Campaign (February 2025): Victims downloaded a ZIP archive containing “Setup.exe,” which sideloaded malicious DLLs (e.g., “tier0.dll” from Valve games, “sscronet.dll”) via legitimate executables like Douyin.exe. ValleyRAT then logged keystrokes, monitored screens, and established C2 communication, using Donut shellcode for in-memory execution.

The latter campaign’s reuse of URLs, gaming software exploitation, and focus on key organizational roles demonstrated Silver Fox’s strategic shift toward both wider and more precise targeting, cementing ValleyRAT’s reputation as a versatile RAT.

Gathering threat intelligence on ValleyRAT malware

It would be a painful challenge to scrape ValleyRAT out of your system considering its persistence and evasion “talents”. And, of course, losses calculation and mitigation would be even more painful. So, it’s much better not to invite the digital culprit in.

Use threat intelligence to study and recognize ValleyRAT TTPs, and to gather IOCs, IOAs, and IOBs for tuning your monitoring and detection systems. You can also leverage ANY.RUN’s TI Feeds to be updated with the new ValleyRAT’s identificators automatically.

ValleyRAT has a habit of reusing the same URLs or IP addresses across campaigns, and besides, it often employs unique mutexes. Address ANY.RUN’s Threat Intelligence Lookup and start your research with malware’s name:

threatName:"valleyrat"

ValleyRAT search results in TI Lookup _ ValleyRAT samples in ANY.RUN’s Sandbox_

ValleyRAT often leaves byte patterns that can be matched by custom or shared YARA rules. Suricata rules are also of much help in detecting the trojan’s malicious processes. This is what the detalization of such process looks like in TI Lookup:

ValleyRAT process detailed Details on ValleyRAT actions in the system

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

ValleyRAT is an example of modern malware evolution, blending traditional RAT functionality with advanced evasion and persistence tactics. Its danger lies in its ability to quietly infiltrate networks, target valuable data, and maintain long-term access. Countering it demands a blend of cutting-edge detection tools, robust threat intelligence, and proactive security measures to stay ahead of its cunning Silver Fox operators.

Though it did start as a threat for Chinese enterprise and users, now, if you are on the opposite side of the world from China, you are not safe. APTs’ appetites always grow, so be ready and proactive against ValleyRAT.

Gather IOCs on ValleyRAT with 50 trial requests in TI Lookup

HAVE A LOOK AT

Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Xeno RAT screenshot
Xeno RAT
xenorat
Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More