ValleyRAT_S2
ValleyRAT_S2 is a second-stage malware payload in the ValleyRAT family and is described as a modular, highly evasive C++ remote access trojan used for cyber-espionage and long-term covert access. It functions as the core backdoor component after an initial Stage 1 infection. Reported targeting includes organizations in mainland China, Hong Kong, Taiwan, and Southeast Asia, with reporting also describing theft of sensitive financial information.
Observed delivery vectors include fake Chinese-language productivity tools marketed as "AI表格生成工具," cracked software, trojanized installers and utilities, targeted phishing emails with malicious .doc, .xls, and .pdf attachments, compressed archives with disguised executables, and abuse of legitimate software update mechanisms. A prominent execution technique is DLL side-loading, in which legitimate signed applications load malicious DLLs from the same directory. Reported masqueraded DLL names include steam_api64.dll and apphelp.dll, and an example drop path is C:\Users\Admin\AppData\Local\Temp\AI自动化办公表格制作生成工具安装包\steam_api64.dll.
Capabilities described in the content include system reconnaissance and host profiling, such as collecting operating system information, locale settings, registry data, installed software details, process listings, and scanning file systems for hidden drives, removable media, and network shares. ValleyRAT_S2 is also reported to support file upload and download, shell command execution, local data exfiltration, credential theft, financial data collection, and keystroke monitoring via Windows hooks. Evasion and post-exploitation behaviors include sandbox detection, process injection using WriteProcessMemory and CreateRemoteThread, thread context manipulation, and use of trusted-looking process names such as Telegra.exe and WhatsApp.exe.
Persistence mechanisms described include Windows Task Scheduler abuse via COM APIs, possible registry run keys, staged files in %TEMP% and AppData paths, and a watchdog mechanism implemented with batch scripts. Reported artifacts include %TEMP%\target.pid, monitor.bat, and a configuration path under %APPDATA%\Promotions\Temp.aps. The malware is said to create temporary staging artifacts in %TEMP% and restart itself if terminated. Command-and-control uses hardcoded infrastructure over a custom TCP-based protocol; a reported C2 endpoint is 27.124.3.175:14852. Additional reported behaviors include initialization that masquerades as Steam-related activity and use of callbacks disguised as legitimate Steam events.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
“Attackers disguise ValleyRAT_S2 within fake productivity tools… alongside cracked software downloads and legitimate-looking Chinese-language utilities.”
Credential Access
2 techniques
Credential Access
Discovery
7 techniques
Discovery
Behavioral Analysis MITRE ATT&CK Mapping Technique ID Observed Behavior ... Query Registry T1012 Processor info, BIOS info (3 queries)
Behavioral Analysis MITRE ATT&CK Mapping Technique ID Observed Behavior ... System Information Discovery T1082 System fingerprinting (3 queries)
“The malware scans file systems for hidden drives, removable media, and network shares…”
Collection
4 techniques
Collection
Behavioral Analysis MITRE ATT&CK Mapping Technique ID Observed Behavior ... Input Capture: Keylogging T1056.001 SetWindowsHookEx (keyboard/message hooks)
Command and Control
1 technique
Command and Control
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Second-stage ValleyRAT payload used for post-compromise activity including extensive system reconnaissance, persistence via Steam event-masquerading callbacks, process injection/DLL sideloading evasion, keystroke logging, and local data exfiltration with staging in %TEMP% directories.
Second-stage modular C++ remote access trojan used for cyber-espionage. Provides backdoor access, persistence (Task Scheduler/COM APIs, watchdog scripts), system reconnaissance (OS/locale/registry/software, drives/shares, processes), code injection (WriteProcessMemory/CreateRemoteThread, thread context manipulation), possible keystroke monitoring (Windows hooks), and data exfiltration over custom TCP C2 (e.g., 27.124.3.175:14852). Commonly delivered via fake Chinese-language utilities/cracked software and DLL side-loading using masqueraded DLL names (e.g., steam_api64.dll, apphelp.dll).
Second-stage ValleyRAT payload (C++), functioning as a full remote access trojan/backdoor. Provides long-term remote control, system discovery, credential theft, keylogging, file upload/download, command execution, payload injection, and exfiltration of financial data. Uses DLL side-loading, spearphishing attachments, and abused update channels for delivery; maintains persistence via Task Scheduler (COM APIs), possible Run keys, and a watchdog loop (monitor.bat + watch.vbs) that restarts the malware if terminated.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.