Valley RAT is a modular remote access trojan used in phishing-led intrusion campaigns attributed in the provided content to the Chinese threat actor Silver Fox, targeting Indian organizations with Income Tax-themed lures. The described infection chain begins with phishing emails impersonating the Indian Income Tax Department and PDF attachments that lead victims to a malicious site such as ggwk[.]cc, which delivers a ZIP or executable disguised as a tax-related file (including names such as "tax affairs.exe" or "tax_affairs.exe"). The attack uses DLL hijacking by dropping the legitimate Xunlei executable Thunder.exe alongside a malicious libexpat.dll. The malicious DLL performs anti-analysis checks for sandboxes and security tools, disables Windows Update services, decrypts an encrypted payload from box.ini, and ultimately leads to Valley RAT execution. One described chain uses a Donut loader to inject the final payload into a hollowed explorer.exe process.
Once active, Valley RAT initializes a two-stage configuration subsystem, extracting 22 configuration parameters from embedded data and optionally replacing key command-and-control settings with updated configuration retrieved from the Windows registry. This allows operators to rotate C2 infrastructure without redeploying the malware. The malware then launches a payload thread implementing a three-tier C2 failover loop across primary, secondary, and tertiary servers, using HTTP, HTTPS, or raw TCP with configurable beacon intervals and initial delays. Upon successful connection it sends a "ready" beacon with command ID 4, and it can enable keylogging via configuration.
The malware is described as establishing persistent command and control and supporting command execution, keystroke capture, credential harvesting, file transfer, and deployment of additional modules. Its modular plugin architecture stores downloaded plugins in the registry under HKCU\Console\0\d33f351a4aeea5e608853d1a56661059, using a value name described as a consistent Valley RAT fingerprint and following an MD5-style naming convention observed across campaigns. Plugins may be received from C2 and persisted as REG_BINARY with executable memory allocation, or reloaded from the registry after validation against a hardcoded signature; each plugin includes a 0xC9 magic-byte guard to prevent double execution. Downloaded plugins are injected into tracerpt.exe via process hollowing after being patched with a 4768-byte configuration blob containing C2 addresses and feature flags.
High-confidence infrastructure and indicators mentioned in the content include primary shellcode C2 b[.]yuxuanow[.]top resolving to 103.20.195[.]147, additional rotating domains including itdd[.]club, gov-a[.]work, and xzghjec[.]com, the malicious DLL name libexpat.dll, encrypted payload box.ini, and registry persistence/storage at HKCU\Console\0\d33f351a4aeea5e608853d1a56661059. The content characterizes Valley RAT as a sophisticated, persistent, and customizable RAT used to maintain long-term access in targeted campaigns against Indian entities.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...this sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence."
2 distinct techniques documented for this family, organized by ATT&CK tactic.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Modular remote access trojan used for persistence and remote control in an intrusion chain that includes DLL hijacking.
Valley RAT is a remote access trojan that provides persistent access to compromised systems, supports multiple communication protocols, and allows attackers to execute commands, capture keystrokes, harvest credentials, transfer files, and deploy additional modules. It uses anti-analysis techniques, process injection, and stores configuration in the Windows registry.
Remote access trojan with staged configuration loading and registry-based configuration override for C2 updates. Uses multi-tier C2 failover (primary/secondary/tertiary), supports HTTP/HTTPS and raw TCP, configurable beaconing/delays for evasion, and a modular plugin system persisted in the Windows registry. Plugins can be injected via process hollowing into legitimate processes (e.g., tracerpt.exe) and can enable capabilities like keylogging, credential harvesting, and lateral movement.
Modular RAT delivered via targeted phishing lures (Income Tax-themed) in the referenced campaign.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.