Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

ValleyRAT

89
Global rank
32 infographic chevron month
Month rank
31 infographic chevron week
Week rank
0
IOCs

ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.

RAT
Type
China
Origin
1 March, 2023
First seen
3 July, 2026
Last seen

How to analyze ValleyRAT with ANY.RUN

RAT
Type
China
Origin
1 March, 2023
First seen
3 July, 2026
Last seen

IOCs

IP addresses
154.92.16.22
43.106.25.77
47.237.103.1
8.219.170.249
203.135.104.35
137.220.158.170
112.213.106.27
154.36.188.162
104.233.184.215
223.26.62.228
192.238.184.143
104.143.39.35
124.156.133.46
47.84.34.181
8.210.238.216
47.236.241.97
39.109.116.103
8.210.145.95
103.215.77.17
47.243.127.117
Domains
vshkll.fit
temu.baskwms.top
invoice.msopsa.top
doyadkjp.com
jpydskkwo.top
dfiuygu.work
baoxis.cc
jpydskkwo.cyou
jpyahzho.work
jpyhdszh.work
jduskjp.shop
jpworkyes.com
jpliyszyy.work
gogousdtdiaoyu.org
jpyaword.com
gvsrtttj.work
jpzhhdss.work
frehf.oss-cn-hongkong.aliyuncs.com
wanyaqing.3322.org
a2.qwsazx.com
Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4650
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 9361
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7407
comments 0

What is Valley RAT malware?

ValleyRAT is a C++-based RAT first identified in early 2023. It is associated with the Silver Fox advanced persistent threat (APT) group, a suspected China-based threat actor.

It stands out of the plenty of RATs for its multi-stage infection chain, heavy reliance on shellcode for execution, and a focus on espionage and data theft. It is designed to infiltrate systems, maintain persistence, and provide attackers with extensive remote control. Including the ability to monitor activities, steal data, and deploy additional malicious plugins.

ValleyRAT employs a variety of distribution methods: phishing and spear-phishing emails, compromised websites, social engineering via instant messengers, fake downloads and DLL hijacking. For the initial infection, a loader disguised as a legitimate file is used, which triggers a multi-stage process to deploy the full payload discreetly.

The loader executes shellcode directly in memory thus minimizing its disk footprint and visibility to file-based detection tools.

Once rooted in the system, ValleyRAT provides attackers with its remote control (including keyboard, mouse, screen interaction via WinSta0), allows data exfiltration, file execution, and additional plugin deployment. Screenshot capture, keylogging, and activity monitoring are also performed.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

ValleyRAT Ransomware’s Prominent Features

  • Targeted Espionage: It focuses on high-value roles in finance, accounting, sales, and management, particularly within Chinese enterprises, to steal sensitive corporate data for financial fraud or insider threats.
  • Phased Deployment: (loader → shellcode → C2 → payload) of ValleyRAT is more complex than many single-stage RATs, enhancing stealth.
  • Expanded Attack Surface: By exploiting gaming software and other non-traditional vectors, it broadens its reach beyond typical enterprise targets.
  • Persistent Access: ensures long-term control, enabling prolonged espionage campaigns.
  • Geopolitical Implications: Linked to the Silver Fox APT, ValleyRAT aligns with state-sponsored tactics, suggesting potential use in cyber warfare or intelligence gathering against Chinese-speaking regions.

ValleyRAT Execution Process and Technical Details

The complicated behavior of ValleyRAT is observable in ANY.RUN’s Interactive Sandbox. Let’s explore its processes, IOCs, connections, and other activities.

View sandbox analysis

During the first stages, ValleyRAT may employ techniques such as DLL sideloading and exploiting legitimate signed executables that are vulnerable to DLL search order hijacking. Additionally, process injection is used to inject malicious code into processes like svchost.exe. This allows ValleyRAT to execute its payload, which may include shellcode that decrypts an encrypted PE file in memory for execution without leaving traces on the disk. The payload also includes hooks to bypass security mechanisms like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows).

To ensure persistence, ValleyRAT modifies registry settings under Software\Microsoft\Windows\CurrentVersion\Run or, in our analysis, in the startup directory %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ by using the Windows Command Shell (CMD). It also stores files in directories such as C:\ProgramData. Once established, ValleyRAT communicates with its Command-and-Control (C2) server using UDP or TCP protocols. The commands supported by ValleyRAT include capturing screenshots, executing files or DLLs, setting startup configurations, filtering processes, and clearing event logs.

To avoid running multiple instances of itself, the malware creates mutexes. In our case, the mutex " V‰°5i™þ«" contains non-standard characters.

It abuses Windows COM interfaces (e.g., CMSTPLUA, fodhelper.exe) to bypass User Account Control (UAC) and gain elevated privileges, often adjusting its security token to SeDebugPrivilege for deeper system access.

ValleyRAT employs multiple stealth mechanisms to evade detection. These include anti-VM checks to detect VMware environments and avoid analysis, as well as keylogging and screen monitoring capabilities to log keystrokes and collect screen data for remote control. Additionally, ValleyRAT injects DLLs into critical processes to prevent security applications from launching. This multi-layered execution chain highlights ValleyRAT’s ability to infiltrate systems stealthily while maintaining persistence and evading detection.

ValleyRAT analysis in ANY.RUN ValleyRAT sample analysis inside ANY.RUN's Interactive Sandbox

Its famous arsenal of evasion tactics includes:

  • Memory-Based Execution: It heavily relies on shellcode executed in memory rather than writing files to disk, reducing its traceable footprint.
  • Process Injection: By injecting malicious code into legitimate processes, it masks its activities within normal system operations.
  • Sleep Obfuscation: It uses sleep routines to alter memory permissions, evading memory scanners and sandbox analysis.
  • Encryption: Shellcode is encrypted (e.g., XOR with keys like 0x27 or AES-256), making it harder for signature-based tools to identify.
  • Anti-VM and Sandbox Checks: It terminates if it detects virtualized environments or common analysis tools (e.g., VMware, WeChat/DingTalk registry checks as a kill switch).
  • Security Tool Disruption: ValleyRAT targets antivirus processes (e.g., Qihoo’s ZhuDongFangYu) for termination and modifies registry settings or Windows Defender exclusions to disable defenses.
  • Legitimate Tool Abuse: It leverages trusted Windows utilities (e.g., MSBuild.exe) and signed executables to blend in with normal activity.

What are the examples of the best-known ValleyRAT attacks?

While specific attacks are not always publicly detailed with victim identities due to the sensitive nature of espionage-driven attacks, cybersecurity researchers have documented key campaigns that highlight ValleyRAT’s success in infiltrating systems, evading detection, and achieving its objectives.

  1. Impersonation of Chinese Telecom Companies (2024): Attackers created fraudulent websites mimicking legitimate Chinese telecom firms to distribute ValleyRAT. It employed DLL hijacking, utilizing legitimate game-related binaries to execute its payload stealthily. Users downloaded malicious software, leading to system compromises.
  2. Targeted Attacks on Chinese-Speaking Enterprises (August 2024): A campaign aimed at Chinese-speaking users of companies in e-commerce, finance, sales, and management sectors.
  3. Resume-Themed PDF Campaign (May 2023): Victims received PDFs mimicking job resumes, which, when opened, directed users to download ValleyRAT via malicious URLs. The RAT was deployed alongside a Rust-based loader, enhancing its stealth and delivery efficiency. This campaign successfully targeted high-value individuals, likely in corporate environments. The use of PDFs broadened its attack surface beyond traditional executable files, catching security systems off-guard.
  4. Trojanized Medical Imaging Software in Healthcare Sector (February 2025): The Silver Fox APT group embedded ValleyRAT within counterfeit versions of Philips DICOM viewer software.
  5. Fake Chrome Download Campaign (February 2025): Victims downloaded a ZIP archive containing “Setup.exe,” which sideloaded malicious DLLs (e.g., “tier0.dll” from Valve games, “sscronet.dll”) via legitimate executables like Douyin.exe. ValleyRAT then logged keystrokes, monitored screens, and established C2 communication, using Donut shellcode for in-memory execution.

The latter campaign’s reuse of URLs, gaming software exploitation, and focus on key organizational roles demonstrated Silver Fox’s strategic shift toward both wider and more precise targeting, cementing ValleyRAT’s reputation as a versatile RAT.

Gathering threat intelligence on ValleyRAT malware

It would be a painful challenge to scrape ValleyRAT out of your system considering its persistence and evasion “talents”. And, of course, losses calculation and mitigation would be even more painful. So, it’s much better not to invite the digital culprit in.

Use threat intelligence to study and recognize ValleyRAT TTPs, and to gather IOCs, IOAs, and IOBs for tuning your monitoring and detection systems. You can also leverage ANY.RUN’s TI Feeds to be updated with the new ValleyRAT’s identificators automatically.

ValleyRAT has a habit of reusing the same URLs or IP addresses across campaigns, and besides, it often employs unique mutexes. Address ANY.RUN’s Threat Intelligence Lookup and start your research with malware’s name:

threatName:"valleyrat"

ValleyRAT search results in TI Lookup _ ValleyRAT samples in ANY.RUN’s Sandbox_

ValleyRAT often leaves byte patterns that can be matched by custom or shared YARA rules. Suricata rules are also of much help in detecting the trojan’s malicious processes. This is what the detalization of such process looks like in TI Lookup:

ValleyRAT process detailed Details on ValleyRAT actions in the system

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

ValleyRAT is an example of modern malware evolution, blending traditional RAT functionality with advanced evasion and persistence tactics. Its danger lies in its ability to quietly infiltrate networks, target valuable data, and maintain long-term access. Countering it demands a blend of cutting-edge detection tools, robust threat intelligence, and proactive security measures to stay ahead of its cunning Silver Fox operators.

Though it did start as a threat for Chinese enterprise and users, now, if you are on the opposite side of the world from China, you are not safe. APTs’ appetites always grow, so be ready and proactive against ValleyRAT.

Gather IOCs on ValleyRAT with 50 trial requests in TI Lookup

HAVE A LOOK AT

EvilTokens screenshot
EvilTokens
eviltokens
EvilTokens is a phishing-as-a-service (PhaaS) toolkit that emerged in mid-February 2026. It automates device code phishing attacks against Microsoft 365 and Entra ID environments. Unlike traditional credential-harvesting phishing, EvilTokens tricks users into completing legitimate authentication on Microsoft's own login pages, resulting in the issuance of valid OAuth access and refresh tokens directly to the attacker, effectively bypassing MFA without stealing passwords.
Read More
Kali365 screenshot
Kali365 is an emerging Phishing-as-a-Service (PhaaS) platform that targets Microsoft 365 environments by stealing OAuth authentication tokens instead of passwords. First observed in April 2026, the service enables even low-skilled threat actors to bypass multi-factor authentication (MFA), gain persistent access to corporate cloud accounts, and compromise business communications, files, and collaboration platforms. Kali365 represents a shift from traditional credential theft toward session hijacking and token abuse, making it a significant threat to organizations that rely on Microsoft 365.
Read More
UpCrypter screenshot
UpCrypter
upcrypter
UpCrypter is a sophisticated malware loader that functions as a delivery mechanism for remote access tools. Distributed through global phishing campaigns targeting Windows systems, this actively maintained tool serves as the central framework for deploying various RATs including PureHVNC, DCRat, and Babylon RAT, enabling attackers to establish persistent remote control over compromised systems.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More