Last seven days
- First activity
- Jul 14, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 3 IP / 0 hostnames
ValleyRAT_S2 is a second-stage malware payload in the ValleyRAT family and is described as a modular, highly evasive C++ remote access trojan used for cyber-espionage and long-term covert access.
Profile source: Mallory opens in a new tabValleyRAT_S2
ValleyRAT_S2 is a second-stage malware payload in the ValleyRAT family and is described as a modular, highly evasive C++ remote access trojan used for cyber-espionage and long-term covert access. It functions as the core backdoor component after an initial Stage 1 infection. Reported targeting includes organizations in mainland China, Hong Kong, Taiwan, and Southeast Asia, with reporting also describing theft of sensitive financial information.
Observed delivery vectors include fake Chinese-language productivity tools marketed as "AI表格生成工具," cracked software, trojanized installers and utilities, targeted phishing emails with malicious .doc, .xls, and .pdf attachments, compressed archives with disguised executables, and abuse of legitimate software update mechanisms. A prominent execution technique is DLL side-loading, in which legitimate signed applications load malicious DLLs from the same directory. Reported masqueraded DLL names include steam_api64.dll and apphelp.dll, and an example drop path is C:\Users\Admin\AppData\Local\Temp\AI自动化办公表格制作生成工具安装包\steam_api64.dll.
Capabilities described in the content include system reconnaissance and host profiling, such as collecting operating system information, locale settings, registry data, installed software details, process listings, and scanning file systems for hidden drives, removable media, and network shares. ValleyRAT_S2 is also reported to support file upload and download, shell command execution, local data exfiltration, credential theft, financial data collection, and keystroke monitoring via Windows hooks. Evasion and post-exploitation behaviors include sandbox detection, process injection using WriteProcessMemory and CreateRemoteThread, thread context manipulation, and use of trusted-looking process names such as Telegra.exe and WhatsApp.exe.
Persistence mechanisms described include Windows Task Scheduler abuse via COM APIs, possible registry run keys, staged files in %TEMP% and AppData paths, and a watchdog mechanism implemented with batch scripts. Reported artifacts include %TEMP%\target.pid, monitor.bat, and a configuration path under %APPDATA%\Promotions\Temp.aps. The malware is said to create temporary staging artifacts in %TEMP% and restart itself if terminated. Command-and-control uses hardcoded infrastructure over a custom TCP-based protocol; a reported C2 endpoint is 27.124.3.175:14852. Additional reported behaviors include initialization that masquerades as Steam-related activity and use of callbacks disguised as legitimate Steam events.
C2 tracking
Derp observations, rolling seven-day window
Samples
0a3061ce09d7e3cb2b3d3453432da69ee83b59b782853d1f6462fd177db75a7a 367314385c4bc2f97e4a1d5b9a1612ec6f71ad0b51cf0754c19f7275f916e386 7813b7a31ac9f251e26156496d61c44b4b14aff5390b8212b050033975395d7c ec4ea2c3851c910fa98f99e2a3cf161022b4511a1c56e1fcc3a5d2e07542b279 12b920865bc8bd9bad20650a0f7849fe2856de3d72bc5f1a93bb288e8eefaca2 21169e5a0b4a1d0b7bac5b335139c7de57b33229fd26a383e0948938a76d5863 21bae361ccfc5384fb4d1fa26f235627abaeb9ce4738587cd1720e137e22fa77 5185e3d6e9d888053f1b4f6dd9070ad7c57fddd988638b60b7c777dc9bb289df ffe98374173d7c2084a1a6953b308c13a8b9493294af831c23542b0d88654036 MITRE ATT&CK
Reporting
Organizations in China, Hong Kong, Taiwan, and Southeast Asia have been subjected to attacks with the advanced second-stage ValleyRAT_S2 malware... Threat actors have used... phishing emails with illicit attachments to spread ValleyRAT_S2, which performs DLL side-loading...
A sophisticated second-stage malware payload known as ValleyRAT_S2 has emerged as a critical threat... This Remote Access Trojan (RAT), written in C++, is a modular, highly evasive cyber-espionage tool... ValleyRAT_S2 operates as the functional core of the ValleyRAT malware family...
A new wave of attacks is using the ValleyRAT_S2 malware to quietly break into organizations, stay hidden for long periods, and steal sensitive financial information. ValleyRAT_S2 is the second-stage payload of the ValleyRAT family and is written in C++.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.