ValleyRAT Malware Employs Novel Delivery Methods to Target Organizations

Summary

Morphisec Threat Labs analyzed ValleyRAT, a multi-stage malware linked to the Silver Fox APT. The group has updated its tactics in 2025, reusing URLs from previous attacks while employing new delivery techniques. They distribute Remote Access Trojans (RATs) via phishing, malicious sites, and instant messaging, targeting finance, accounting, and sales roles.

In past attacks, they used .bat and .ps1 scripts with disguised installer files. They also exploited DLL hijacking in signed executables like WPS Office and Tencent's Update.exe. Recently, they impersonated a Chinese telecom firm using a payload named "SMS International Channel." Their latest attack leveraged DLL hijacking with game-related binaries from Steam, including those from Left 4 Dead 2 and Killing Floor 2

The figure below shows the overall infection chain.

The ValleyRAT malware campaign begins when a user unknowingly downloads a fake Chrome browser from anizom[.]com or falls for a phishing website designed to impersonate a legitimate Chinese SMS provider (karlost[.]club). This fraudulent site mimics www.karlos[.]com.cn, tricking users into downloading a malicious archive file named Setup.zip.

Upon extracting and executing Setup.exe (originally fotuy.exe), the malware initiates a sequence of actions aimed at establishing persistence, injecting itself into legitimate processes, and evading detection.

Execution & File Deployment

When launched, Setup.exe, a .NET-based binary, first checks for administrator privileges. If it lacks elevated rights, it attempts to escalate permissions using runas. Once it is running with sufficient privileges, it determines the operating system type and proceeds to download four additional components, which are stored in the following directory:

📂 C:\Program Files (x86)\Common Files\System

• sscronet.dll

• douyin.exe

• mpclient.dat

• Tier0.dll

DLL Injection & Persistence Mechanism

To execute the next stage, the malware loads sscronet.dll into memory via LoadLibrary and invokes two key functions:

• Cronet_UrlRequest_Start – This function identifies a running svchost.exe process, allocates memory within it, and injects malicious code.

• Cronet_UrlRequest_Read – It ensures persistence by creating a registry entry at: Software\Microsoft\Windows\CurrentVersion\Run, disguising itself under the name MyPythonApp.

Defense Evasion via svchost.exe

The injected code within svchost.exe operates as a monitoring mechanism, preventing certain security processes from launching. If a process from a predefined exclusion list is detected, the malware immediately terminates it, ensuring uninterrupted execution.

DLL Side-Loading via Douyin.exe

The malware abuses DLL side-loading to execute its payload discreetly. It drops a malicious DLL into the same directory as Douyin.exe, the official Chinese version of TikTok. When Douyin.exe is launched, it unknowingly loads and executes the attacker-controlled DLL, allowing malware execution under the guise of a legitimate application.

Leveraging tier0.dll for Evasion

The tier0.dll file, typically associated with Valve’s Source Engine, is repurposed in this attack to facilitate stealthy execution. It checks for the presence of nslookup.exe, a legitimate Windows process, using it as a mutex to control execution flow. If nslookup is already running, the malware terminates it and restarts a new instance. This unconventional approach reduces the likelihood of detection, as it avoids traditional process injection techniques like APC injection or process hollowing.

At this stage, the malware reads mpclient.dat, which contains shellcode and an encrypted PE file. The contents are injected into nslookup.exe, which then spawns a remote process to execute the final payload, allowing ValleyRAT to operate stealthily while maintaining persistence.

Shellcode and Payload Decryption

The mpclient.dat file within ValleyRAT contains Donut shellcode, a specialized loader that decrypts an embedded PE file (Portable Executable) directly in memory, allowing it to execute without writing to disk. This tactic helps avoid traditional file-based detection methods. To bypass security features like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), the malware hooks into functions like AmsiScanString, AmsiScanBuffer, and EtwEventWrite. These hooks allow it to operate undetected by blocking security mechanisms that would normally flag suspicious activities.

RAT Capabilities

ValleyRAT demonstrates the capabilities of a basic RAT, including keylogging, system monitoring, and screen capturing. It also allows attackers to interact with the system’s graphical interface by accessing the WinSta0 window station, which controls the user’s screen, keyboard, and mouse. Through functions like OpenWindowStationW and SetProcessWindowStation, the malware gains direct interaction with the user’s desktop and suppresses error dialogs using SetErrorMode(1u), making it harder for users to notice the attack.

Keylogger Functionality

ValleyRAT activates a keylogger based on a configuration file embedded within the malware. The attacker can configure this keylogger dynamically by setting a registry key rather than relying on a fixed configuration. Once enabled, the keylogger records keystrokes and stores them in a file named sys.key in the ProgramData directory.

Persistence Mechanism

To maintain persistence, ValleyRAT creates a file named GFIRestart64.exe, ensuring that it can restart and re-infect the system even after a reboot. This file is placed in a way that does not raise suspicion, allowing the malware to maintain a foothold on the system without detection.

VMware Detection and Environment Check

To avoid detection in virtualized environments, the malware checks if it is running inside a VMware virtual machine. It does so by looking for the VMware Tools directory and specific VMware processes like VMwareService.exe and VMwareTray.exe. It also checks system characteristics, such as the total physical memory and HDD size. If the system appears to be virtualized, the malware may alter or halt its execution to avoid sandbox analysis.

C2 Communication and Commands

ValleyRAT communicates with its Command and Control (C2) server to receive instructions. The C2 is initialized with hardcoded IP addresses and ports. Here are some of the common commands and their descriptions:

• 0x00: Cleans up plugins and retrieves the system's process list.

• 0x01: Replies with data sent to the client, possibly used for anti-bot verification or

• PING→PONG.

• 0x02 & 0x04: Drops and executes a DLL file.

• 0x06: Retrieves the system's process list.

• 0x07: Drops and executes any type of file (e.g., document, image).

• 0x08: Downloads and executes an executable file.

• 0x09: Configures the client to start at system startup.

• 0x0A: Sets registry keys like BEIZHU (remark) and FENZU (subgroup).

• 0x64: Stops the client without terminating the process.

• 0x65: Starts the client.

Network Communication

ValleyRAT attempts to establish communication with external servers, initially testing connectivity to www[.]baidu[.]com. This check ensures the system can reach the internet, allowing the malware to receive further instructions from the C2 server

Conclusion

ValleyRAT is a sophisticated Remote Access Trojan (RAT) that employs various advanced techniques to evade detection and maintain long-term control over infected systems. Its ability to execute payloads directly in memory, bypass security mechanisms such as AMSI and ETW, and establish persistence through carefully crafted files ensures that it remains a potent threat to targeted organizations. Additionally, its dynamic keylogging capabilities and manipulation of system processes provide attackers with extensive control over compromised systems.

Through its advanced C2 communication, persistent malware execution, and evasive behavior in virtualized environments, ValleyRAT highlights the growing sophistication of modern cyber threats. Organizations must remain vigilant, employing comprehensive security strategies that include advanced detection mechanisms and endpoint monitoring to combat this evolving threat. The evolving nature of threats like ValleyRAT calls for continuous improvement in threat detection and response strategies to mitigate the risk posed by such complex and adaptive malware. Regular updates, employee training, and system hardening practices are key to defending against these sophisticated attacks and ensuring the safety of organizational networks and sensitive data.