Skip to content
Malware family

ValleyRAT_S2

ValleyRAT_S2 is a second-stage malware payload in the ValleyRAT family and is described as a modular, highly evasive C++ remote access trojan used for cyber-espionage and long-term covert access.

Profile source: Mallory opens in a new tab

ValleyRAT_S2

Family profile

ValleyRAT_S2 is a second-stage malware payload in the ValleyRAT family and is described as a modular, highly evasive C++ remote access trojan used for cyber-espionage and long-term covert access. It functions as the core backdoor component after an initial Stage 1 infection. Reported targeting includes organizations in mainland China, Hong Kong, Taiwan, and Southeast Asia, with reporting also describing theft of sensitive financial information.

Observed delivery vectors include fake Chinese-language productivity tools marketed as "AI表格生成工具," cracked software, trojanized installers and utilities, targeted phishing emails with malicious .doc, .xls, and .pdf attachments, compressed archives with disguised executables, and abuse of legitimate software update mechanisms. A prominent execution technique is DLL side-loading, in which legitimate signed applications load malicious DLLs from the same directory. Reported masqueraded DLL names include steam_api64.dll and apphelp.dll, and an example drop path is C:\Users\Admin\AppData\Local\Temp\AI自动化办公表格制作生成工具安装包\steam_api64.dll.

Capabilities described in the content include system reconnaissance and host profiling, such as collecting operating system information, locale settings, registry data, installed software details, process listings, and scanning file systems for hidden drives, removable media, and network shares. ValleyRAT_S2 is also reported to support file upload and download, shell command execution, local data exfiltration, credential theft, financial data collection, and keystroke monitoring via Windows hooks. Evasion and post-exploitation behaviors include sandbox detection, process injection using WriteProcessMemory and CreateRemoteThread, thread context manipulation, and use of trusted-looking process names such as Telegra.exe and WhatsApp.exe.

Persistence mechanisms described include Windows Task Scheduler abuse via COM APIs, possible registry run keys, staged files in %TEMP% and AppData paths, and a watchdog mechanism implemented with batch scripts. Reported artifacts include %TEMP%\target.pid, monitor.bat, and a configuration path under %APPDATA%\Promotions\Temp.aps. The malware is said to create temporary staging artifacts in %TEMP% and restart itself if terminated. Command-and-control uses hardcoded infrastructure over a custom TCP-based protocol; a reported C2 endpoint is 27.124.3.175:14852. Additional reported behaviors include initialization that masquerades as Steam-related activity and use of callbacks disguised as legitimate Steam events.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 14, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
3 IP / 0 hostnames

Leading locations

  • HK3

Leading providers

  • Cloudie Limited1
  • cognetcloud INC1
  • CTG Server Limited1

Infrastructure traits

  • Hosting 3

Samples

Recent associated samples

MITRE ATT&CK

ValleyRAT_S2 in ATT&CK

39 distinct techniques

Reporting

Research mentioning ValleyRAT_S2

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.