APOPHiS

APOPHiS is the name referenced in the provided content as the entity that identified ValleyRAT_S2 as the core second-stage backdoor driving a campaign of intrusions. The content does not provide high-confidence attribution details establishing APOPHiS as a threat actor, nation-state, intrusion set, or malware operator. The associated activity described in the content involves attacks using ValleyRAT_S2, a C++ second-stage payload in the ValleyRAT family, distributed via fake Chinese-language productivity tools, cracked software, trojanized installers posing as AI-based spreadsheet generators, spearphishing attachments, and abused software update channels. The intrusions commonly use DLL side-loading with legitimate signed applications loading malicious DLLs such as steam_api64.dll from Temp paths. ValleyRAT_S2 is described as a full-featured RAT used for long-term covert access, system discovery, credential theft, financial data collection, file upload/download, shell command execution, payload injection, and keystroke capture, with command-and-control over a custom TCP protocol to hardcoded infrastructure. Persistence mechanisms mentioned include staged files in Temp and AppData, Task Scheduler abuse via COM APIs, registry run keys, and a watchdog script (monitor.bat) that restarts the malware if terminated. No additional aliases, sub-groups, or verified attribution details for APOPHiS are provided in the content.