ValleyRAT Malware Campaigns Targeting Chinese Organizations and Job Seekers
Threat actors have launched multiple campaigns distributing the ValleyRAT remote access trojan (RAT), targeting both organizations in China and job seekers. In one campaign, the group known as Silver Fox used search engine optimization (SEO) poisoning and fake Microsoft Teams installers to lure Chinese-speaking users, including those in Western companies operating in China, into downloading a trojanized setup file. The installer, disguised with Russian linguistic elements to mislead attribution, deploys ValleyRAT, which enables remote control, data exfiltration, and persistent access to infected systems. The malware loader checks for security software like 360 Total Security and manipulates Microsoft Defender exclusions to evade detection.
A separate ValleyRAT campaign has been observed targeting job seekers via malicious emails that leverage a weaponized Foxit PDF Reader for DLL side-loading. This campaign uses social engineering to trick users into executing the malware, which then allows attackers to monitor activity, steal sensitive data, and potentially compromise HR professionals as well. Both campaigns demonstrate a high level of sophistication, utilizing layered obfuscation, dynamic execution techniques, and strategic targeting to maximize infection rates and evade security controls. Security vendors have updated detection and hunting capabilities to address these threats, emphasizing the need for vigilance among organizations and individuals alike.
Timeline
Dec 4, 2025
The Hacker News reports Silver Fox false-flag operation mimicking Russian actors
The Hacker News reported that Silver Fox was using Russian-language elements and infrastructure in a false-flag effort to resemble a Russian threat group while conducting the ValleyRAT campaign in China. The report also highlighted the campaign's targeting, malware chain, and attribution details.
Dec 3, 2025
Trend Micro publishes research on PureRAT/ValleyRAT job-seeker campaign
Trend Micro disclosed research on a related ValleyRAT/PureRAT campaign that targeted job seekers and abused Foxit PDF Reader for DLL side-loading. The report publicly documented the malware delivery technique and victim lure used in the operation.
Nov 1, 2025
Attackers use fake Microsoft Teams and Telegram installers to deploy ValleyRAT
During the November 2025 campaign, Silver Fox distributed trojanized Microsoft Teams and Telegram installers to infect victims with ValleyRAT. The infection chain included DLL side-loading, persistence mechanisms, remote access capabilities, and in some cases BYOVD to disable or evade security tools.
Nov 1, 2025
Silver Fox begins ValleyRAT campaign targeting organizations in China
In November 2025, the threat actor Silver Fox launched a campaign targeting Chinese-speaking users and Western organizations operating in China. The operation used SEO poisoning and software-themed lures to deliver ValleyRAT/Winos 4.0 for espionage and financial gain.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
SilverFox Expands ValleyRAT and Gh0stRAT Campaigns Against Chinese-Speaking Targets
Breakglass Intelligence linked multiple March and April malware waves to the **SilverFox** threat actor, describing a broad Chinese-language campaign built around **ValleyRAT** on the `Winos4.0` framework and supported by **Gh0stRAT** and **RustyStealer**. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into `C:\WeChat\`, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America. The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to **22 to 75 command-and-control endpoints** and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the `codemark` builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as `TEDDY2012`, and domain registration details that appeared to expose operator identity. Separate reporting also described a related **Gh0stRAT/Farfli** "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.
1 weeks ago
Silver Fox Phishing Campaign Targets Indian Organizations With ValleyRAT
The Chinese threat actor known as **Silver Fox** has launched a targeted phishing campaign against Indian organizations, using income tax-themed emails to deliver the modular remote access trojan **ValleyRAT**. Attackers impersonate the Indian Income Tax Department, sending emails with decoy PDF attachments that, when opened, direct victims to a malicious website hosting a ZIP archive. This archive contains a disguised installer that leverages DLL hijacking, specifically abusing a legitimate executable (`thunder.exe`) and a malicious DLL (`libexpat.dll`), to establish persistent access and evade detection. The campaign demonstrates a sophisticated multi-stage infection chain, with the initial payload acting as a loader for subsequent malware modules designed to maintain deep access to compromised systems. Researchers from CloudSEK have attributed this campaign to Silver Fox, correcting previous misattributions to other threat groups. The group, also known as SwimSnake and Void Arachne, has expanded its targeting beyond Chinese-speaking entities to include Indian public, financial, medical, and technology sectors. The use of socially engineered tax documents and trusted file formats highlights the attackers' ability to bypass traditional security controls, while the complex kill chain and modular malware architecture underscore the evolving threat posed by Silver Fox to Indian organizations.
1 months agoEmail and typosquatting campaigns delivering RAT malware via trojanized installers and malicious JPEG payloads
Multiple active malware delivery campaigns are using social engineering and trusted-looking artifacts to install **remote access trojans (RATs)**. One campaign impersonates the popular Chinese antivirus *Huorong Security* via a typosquatted domain `huoronga[.]com`, routing downloads through an intermediary domain and serving a trojanized NSIS installer from Cloudflare R2; the payload is **ValleyRAT**, described as built on the **Winos4.0** framework and attributed to the Chinese-speaking **Silver Fox** threat group. The infection chain is designed to look legitimate end-to-end (convincing website, normal installer UX) while deploying a full-featured backdoor with stealth and injection capabilities. Separately, email-borne campaigns are abusing attachments and “benign” file types to smuggle malware. Fortinet-reported activity uses phishing lures (e.g., payment or bank-document themes) with Excel attachments exploiting `CVE-2018-0802` to launch scripts that download a JPEG containing embedded **XWorm 7.2**, then uses **process hollowing** (e.g., into `Msbuild.exe`) and connects to a C2 at `berlin101.com` over port `6000` with AES encryption. SANS ISC also documented a similar “malicious JPEG” technique observed in the wild, where a large, heavily obfuscated JScript attachment (delivered in a GZIP wrapper) attempts persistence by copying itself to the Startup folder and participates in a chain that ultimately leverages payloads embedded in JPEGs; the message spoofing failed DMARC/SPF checks, which would likely lead to quarantine in many environments.
1 months ago