The remote access trojan known as ValleyRAT was initially discovered in

2023.

A threat actor known as Silver Fox is responsible for the malware. Chinese-speaking areas have been the main target of previous attack campaigns. ValleyRAT has the ability to log keystrokes, monitor screen content, and create persistence on the host.

Additionally, it can download and run arbitrary DLLs and binaries, as well as initiate communications with a remote server to wait for additional instructions that enable it to enumerate processes. In the most recent attack sequence, targets are tricked into downloading a ZIP archive containing an executable ("Setup.exe") by using a phony Google Chrome website. When the setup binary is executed, it downloads four more payloads, one of which is a legitimate executable linked to Douyin ("Douyin.exe"), the Chinese version of TikTok, which is used to sideload a rogue DLL that initiates the trojan.

According to Morphisec CTO Michael Gorelik, the deceptive Chrome installer site was previously used to download the Gh0st RAT payload, and the campaign specifically targeted Chinese-speaking users. "Drive-by download schemes are the main method used to distribute the links to the phony Chrome websites. In a blog post regarding the attack, Gorelik stated, "This method exploits the users' trust in legitimate software downloads, making them susceptible to infection." According to researcher Shmuel Uzan, the actor has increasingly targeted important positions within organizations, "highlighting a strategic focus on high-value positions with access to sensitive data and systems."