An active campaign uses typosquatted domains that look like trusted software brands to target Chinese-speaking users. The operation includes VPN clients, encrypted messaging apps, video conferencing tools, cryptocurrency trackers, and online shopping apps. The activity has been linked to a Chinese cybercrime group known as Silver Fox, which is also known as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

All of the installer packages that have been found to be infected with the same stolen Extended Validation code-signing certificate that was issued to DUC FABULOUS CO.,LTD, a Vietnamese company based in Hanoi.

The same certificate has been used in other malware campaigns that have nothing to do with this one. This makes it more likely that cybercriminals will use it again and again to make their malicious payloads look legitimate and get around security checks. Since at least December 2025, recent attacks have hit businesses in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India.

ValleyRAT gives the actor remote access to the compromised machine, lets them steal private data, watch what users do, and stay in the targeted environment for a long time. The hacking group has also been linked to an active spear-phishing campaign that uses convincing phishing lures related to tax compliance violations, salary changes, job changes, and employee stock ownership plans.

French cybersecurity company Sekoia said, "The group keeps a dual-track model, running broad, opportunistic campaigns alongside its more sophisticated operations by continuously evolving its tooling." It also said that the second and third campaigns that used the RMM tool and Python stealer seem to be more in line with opportunistic cybercrime than APT operations.