ValleyRAT

ValleyRAT is a modular remote access trojan rebuilt from the Gh0st RAT codebase, first documented by Chinese researchers in early 2023. Also tracked as Winos 4.0, it's a ground-up modernization of the decade-old Gh0st framework rather than a simple fork. The malware is attributed to a China-based group known as Silver Fox, though a publicly leaked builder tool circulating since mid-2024 means independent operators can now compile and deploy their own variants.

The framework ships with roughly 20 plugins compiled in both 32-bit and 64-bit variants. These cover remote desktop, screen recording, webcam and audio capture, keylogging with clipboard extraction, file and registry manipulation, and reverse-proxy tunneling. A DDoS module supports TCP, UDP, HTTP, and ICMP floods. A kernel rootkit derived from the open-source Hidden project adds process protection, file and registry hiding, and kernel-level forced deletion of security product drivers. It loads using expired but non-revoked certificates that qualify under Windows driver signing policy exceptions for legacy drivers. This works on fully patched systems with Secure Boot and HVCI enabled.

C2 communication runs over a custom protocol called Gh0stKCP, which layers Gh0st RAT's command structure on top of KCP, a UDP-based transport built for low-latency delivery. The protocol's custom handshake uses magic bytes and bidirectional conversation IDs, which allows UDP hole punching for NAT traversal. TCP fallback is supported through a configuration flag. Encryption varies by stage: AES-256 for first-stage shellcode, XOR with a consistent key for subsequent shellcode, and RC4 for ongoing C2 traffic.

Distribution leans on SEO poisoning through trojanized installers that mimic popular software. Documented lures include fake builds of Chrome, Microsoft Teams, Telegram, VPN clients, medical imaging software, and Chinese social media applications. A November 2025 campaign used Cyrillic filenames in fake Teams installers as a deliberate false flag to throw off attribution. On the technical side, delivery typically involves DLL sideloading through legitimate signed executables, NSIS installer abuse with PowerShell to disable endpoint protection, and shellcode reflective DLL injection for in-memory execution.

The malware targets Chinese-speaking users across e-commerce, finance, healthcare, government, and gaming sectors. It includes a geographic kill switch that checks for WeChat and DingTalk registry keys and exits if both are absent. Anti-analysis routines go after Chinese security products by name, killing processes from Qihoo 360, Kingsoft, and Tencent QQ PC Manager. Operations have spread beyond mainland China and Taiwan into Japan, Malaysia, and India, with healthcare-sector campaigns observed through trojanized Philips DICOM viewer installers.