ValleyRAT
ValleyRAT is a modular, full-featured remote access trojan (RAT) written in C++ and built on the Winos4.0 framework, which multiple sources describe as rebuilt from or derived from Gh0stRAT. The payloads generated by Winos4.0 are referred to by Proofpoint as ValleyRAT, and the malware is also referenced as Winos4.0 or Winos 4.0 in reporting. It provides operators with broad remote access functionality and has been observed in cyber-espionage and financially motivated campaigns.
Reported capabilities include command-and-control communications, system reconnaissance, persistence, command execution, file upload and download, payload injection, credential harvesting, keylogging, and on-demand module delivery. Specific behaviors documented for ValleyRAT_S2, described as a second-stage ValleyRAT payload, include reconnaissance of OS, locale, architecture, environment variables, registry settings, installed software, drives, file systems, and running processes; persistence via Task Scheduler COM APIs; process injection using SetThreadContext, WriteProcessMemory, and CreateRemoteThread; keystroke monitoring via SetWindowsHookEx; dynamic API resolution via LoadLibrary and GetProcAddress; watchdog recovery using %TEMP%\target.pid and %TEMP%\monitor.bat; staging under %APPDATA%\Promotions\Temp.aps; execution through cmd.exe; and retry/delay logic to reduce detection. Proofpoint additionally states ValleyRAT supports DDoS functionality and can download additional modules on demand.
Observed delivery and execution methods include fake Chinese-language software installers, DLL side-loading with malicious DLLs such as steam_api64.dll and apphelp.dll placed beside legitimate signed applications, phishing attachments, compressed archives with disguised executables, abuse of software update channels, and downloader activity using Winos4.0. One analyzed sample masqueraded as an AI spreadsheet tool and used a malicious steam_api64.dll. Reporting also describes broader campaigns using DLL sideloading through files such as QQMusicCommon.dll, tedutil.dll, msys-2.0.dll, gxc_x64.dll, and VsGraphicsCore.dll, as well as WhatsApp- and phishing-driven delivery in some ecosystems associated with ValleyRAT or Winos4.0 activity.
ValleyRAT has been linked in reporting to Chinese-speaking threat activity and is commonly associated with the Silver Fox cluster, although some specific campaigns with infrastructure overlap were not confidently attributed. Proofpoint reports TA4922 using ValleyRAT/Winos4.0 in financially motivated campaigns targeting organizations across East Asia, Europe, and South Africa, while other reporting notes targeting of Chinese-speaking regions including mainland China, Hong Kong, Taiwan, and Southeast Asia. Additional reporting describes Indonesia-focused tax-themed phishing delivering malware identified as ValleyRAT/Winos4.0/Backdoor SilverFox.
High-confidence infrastructure and indicators mentioned in the content include command-and-control endpoints 27.124.3.175:14852 for ValleyRAT_S2 and 143.92.37.168:10086 using the Gh0stKCP protocol; IP 202.61.160.201 previously observed as infrastructure associated with ValleyRAT and Gh0st RAT activity; downloader activity to 154.201.68.57; and a sample hash d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1 for valleyrat_s2. Additional artifacts include %TEMP%\target.pid, %TEMP%\monitor.bat, %APPDATA%\Promotions\Temp.aps, and benign-looking names such as Telegra.exe and WhatsApp.exe used in memory or staging.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"It's worth noting that the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be exploited to terminate arbitrary processes."
Groups observed using it
13 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
202.61.160[.]201 had previously been observed as command-and-control infrastructure associated with ValleyRAT and Gh0st RAT activity.
The results of the IDS-rules detection are compatible with Win32/ProcessKiller, Winos4.0 and Backdoor SilverFox which both have the alias ValleyRAT.
The results of the IDS-rules detection are compatible with Win32/ProcessKiller, Winos4.0 and Backdoor SilverFox which both have the alias ValleyRAT.
The threat actor also attempted to use a downloader built using the advanced malicious framework Winos4.0. The downloader, placed under drivers\etc masquerading as hosts.exe, attempted to connect to the IP address 154.201.68[.]57. After a successful connection, it downloads the payload and saves it into the registry key d33f351a4aeea5e608853d1a56661059. It then executes the payload.
Finally, this Proofpoint cybercrime analysis notes that the threat group continues to abuse the open-source Winos4.0 framework. In early 2026, researchers spotted a heavily modified variant featuring a massive codebase expansion.
Our investigation revealed that the delivered payload leverages a DLL sideloading chain via a legitimate executable (GameBox.exe) developed by Tencent, ultimately deploying a ValleyRAT variant.
Techniques & procedures
41 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
Software Update Abuse Exploitation of legitimate update mechanisms: Compromise of update channels in popular local Chinese software Injection into software distribution networks Abuse of trusted software vendors’ infrastructure
Deployed through targeted phishing operations: Malicious document attachments (.doc, .xls, .pdf) Compressed archives (.zip, .rar) containing disguised executables
Execution
6 techniques
Execution
Defender exclusion commands launched through ShellExecuteA and powershell.exe
T1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell | 1 | Usage of LOLBins (cmd.exe, conhost.exe) during the dropping/installation process.
The malware campaign embedded malicious code in VBScripts, which were distributed through WhatsApp DMs. The VBScript then dropped the legitimate Remote Monitoring and Management (RMM) tool ManageEngine Endpoint Central.
Persistence
3 techniques
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
Stealth
12 techniques
Stealth
The heap payload brings the real loader behavior: PEB/export walking for dynamic API resolution
ainstaller-86533005.exe is wearing a Panasonic jacket, and the fit is almost too good. Inspect the file metadata and everything points at PPcNotif.Provider.RequiredApp.exe, Panasonic PC Notification, version 1.10510.0.0.
T1036.004 | Defense Evasion | Masquerading: Masquerade Task or Service | 2 | Renaming executable files (.EXE) using the Indonesian language with taxation contexts.
T1036.005 | Defense Evasion | Masquerading: Match Legitimate Name or Location | 1 | Executing a rogue svchost.exe process outside of its legitimate C:\Windows\System32 directory.
Memory Injection : WriteProcessMemory and CreateRemoteThread for payload delivery
Thread Context Manipulation : Uses SetThreadContext for process hijacking
Triage process telemetry during this phase recorded: cmd.exe /c vssadmin delete shadows /all /quiet
The staged buffer goes through two decoder layers. The second decoder starts with key 0x38, walks 0xce0d bytes, XORs each byte, and feeds the decoded byte back into the key. The fully decoded stage then copies 0xae05 bytes from offset 0x2d and XOR-decodes them with: 4@e!c!bSL2AeimnwyD4x.
thumbs.db decodes to rundll32.dat, whose Edge export implements Sauron behavior.
Timing and environment checks through QueryPerformanceCounter, Sleep, rdtsc, VirtualAllocExNuma, mutex probes, process checks, heap pressure, and COM/object probes
Defense Impairment
2 techniques
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
7 techniques
Discovery
Operating System Information : Version, locale, architecture, environment variables
File System Scanning : Hidden drives, removable media, network shares
Timing and environment checks through QueryPerformanceCounter, Sleep, rdtsc, VirtualAllocExNuma, mutex probes, process checks, heap pressure, and COM/object probes
Lateral Movement
1 technique
Lateral Movement
Huorong documented the same s.jpg pattern: shellcode, compressed DLL, RPC Task Scheduler logic, and NdrClientCall3... Cover Task Scheduler RPC alongside command-line schtasks.exe: 86D35949-83C9-4044-B424-DB363231FD0C ncacn_np \pipe\atsvc NdrClientCall3
Collection
1 technique
Collection
Command and Control
6 techniques
Command and Control
When I examined the ValleyRAT C2 traffic from the Triage sandbox execution I noticed that CapLoader as well as FlowCarp identified it as Gh0stKCP, which is a UDP-based protocol that ValleyRAT sometimes uses to transport its C2 traffic.
Modular Commands : File upload/download, shell execution, payload injection, credential harvesting
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
Gh0stKCP, which is a UDP-based protocol that ValleyRAT sometimes uses to transport its C2 traffic.
alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response"; ... mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel; target:src_ip;)
Impact
1 technique
Impact
IOCs tracked for this family
534 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
141 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan linked in the article to overlapping C2 infrastructure and observed using the Gh0stKCP UDP-based protocol for command-and-control traffic.
A remote access trojan referenced due to infrastructure overlap with prior activity; the content does not state it is directly deployed in the current campaign.
Referenced as a remote access trojan whose previously linked infrastructure overlaps with this campaign; not stated as the payload used in the current operation.
A remote access trojan referenced through infrastructure overlap with the campaign; no direct use in this WhatsApp campaign was confirmed.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.