A new campaign involving the ValleyRAT remote-access trojan (RAT) is targeting Chinese-language users and organizations with advanced evasion, privilege escalation, and environment-aware features that make detection extremely difficult.
First identified in early 2023, ValleyRAT continues to evolve, with researchers attributing recent infections to highly targeted phishing operations and trojanized software installers delivering multi-stage payloads across Windows systems.
Loader Architecture and Stealth Execution
ValleyRAT’s infection chain relies on a multi-layered execution model that includes a downloader, a loader, an injector, and a final RAT payload.
The loader, implemented as a .NET executable, embeds encrypted resources that it decrypts in memory using a TripleDES routine derived from an MD5-based key.
After decryption, it launches a secondary component through MSBuild.exe Microsoft’s signed build engine allowing the malware to use a trusted Living-off-the-Land Binary (LOLBin) for process injection.
Through process masquerading and encrypted in-memory execution, ValleyRAT achieves exceptional stealth. Its loader also employs Unicode reversals, concatenation, and escape sequences to hinder static analysis.
In several samples, researchers observed the malware copying itself to the Startup folder as “Appcustom.exe,” ensuring persistence while disguising itself as a benign system utility.
Region-Specific Controls and Privilege Escalation
What sets ValleyRAT apart is its selective execution behavior. Before activation, it searches the Windows Registry for entries related to WeChat and DingTalk popular applications in Chinese enterprise environments.
If neither is present, the malware terminates, reducing exposure outside its intended geography. Once validated, it creates a mutex to prevent multiple instances and immediately begins privilege escalation attempts.
The malware employs several User Account Control (UAC) bypass techniques, manipulating registry keys associated with legitimate binaries such as Fodhelper.exe, Event Viewer, and CompMgmtLauncher.exe to execute itself with elevated privileges.
It also enables the SeDebugPrivilege token, granting the ability to tamper with or terminate security processes. ValleyRAT specifically targets executables from local antivirus and HIPS products such as Qihoo 360, Tencent PC Manager, and Kingsoft, terminating them or turning off reboot persistence.
Defense Evasion and C2 Communication
ValleyRAT enhances its resilience using both PowerShell-based Defender exclusion commands and anti-analysis routines.
It invokes “Add-MpPreference -ExclusionPath” to remove its directory from Windows Defender monitoring, while conducting environment checks to detect virtualization and analysis tools such as Wireshark and Task Explorer using CPUID instructions and window enumeration.
For persistence, it writes to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key under deceptive names such as “GFIRestart32.exe”.
Finally, its Command and Control (C2) beaconing begins by testing connectivity to “hxxp://www[.]baidu.com” before generating randomized outbound traffic identifiers another layer of evasion that ensures operational stability and stealth.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 is targeting Chinese-language users.){kind=link}