An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails
ValleyRAT malware campaigns have been identified using two main infection vectors: fake installers targeting Chinese-speaking users and malicious email campaigns targeting both Chinese and Japanese-speaking users. The malware employs advanced evasion techniques such as process injection, DLL sideloading, junk code insertion, memory and process checks, and fileless execution via Donut-generated shellcode. It establishes persistence through registry modifications and enables remote access for attackers. Detection volumes have increased significantly since May 2025, nearly doubling in 2026. No specific software versions are affected, and no official patches or fixes are available.
AI Analysis
Technical Summary
LevelBlue's analysis reveals two distinct ValleyRAT infection campaigns: one leveraging fake installers primarily targeting Chinese-speaking users with advanced techniques like Pool Party Variant 7 process injection and BYOVD methods; the other using malicious emails delivering ZIP archives containing EXE and DLL files that exploit DLL sideloading, targeting Chinese and Japanese-speaking users. The malware uses multiple evasion tactics including junk code insertion, memory size and process count checks, sleeping duration checks, and fileless execution via Donut shellcode. Persistence is achieved through registry modifications, enabling remote access capabilities for the SilverFox adversary group. Detection volumes have risen sharply from May 2025 through 2026. There are no known exploits in the wild beyond these campaigns, no CVE identifiers, and no patches or vendor advisories indicating remediation.
Potential Impact
ValleyRAT enables remote access to infected systems, allowing threat actors to maintain persistence and potentially conduct further malicious activities. The malware's advanced evasion techniques complicate detection and analysis. The campaigns target Chinese and Japanese-speaking users, increasing risk in those linguistic regions. The increased detection volume indicates growing activity and potential spread. However, no known exploits beyond these campaigns have been reported, and no specific vulnerable software versions are identified.
Mitigation Recommendations
No official patches or fixes are available for ValleyRAT infections. Mitigation should focus on user awareness to avoid fake installers and phishing emails, especially in Chinese and Japanese-speaking environments. Security teams should monitor for indicators of compromise such as the provided IP addresses, domains, hashes, and URLs. Employing endpoint detection solutions capable of identifying process injection, DLL sideloading, and fileless execution techniques may help detect and block infections. Since this is malware rather than a software vulnerability, remediation involves incident response and malware removal rather than patching.
Indicators of Compromise
- ip: 154.92.16.22
- domain: frehf.oss-cn-hongkong.aliyuncs.com
- hash: e8be03f19ada1f5cec74b143e21d4939e781671d
- hash: 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc
- url: http://154.92.16.22/xz.bin
- hash: eca7ed7b699835fadc2c2997a2845864e02b8dfe
An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails
Description
ValleyRAT malware campaigns have been identified using two main infection vectors: fake installers targeting Chinese-speaking users and malicious email campaigns targeting both Chinese and Japanese-speaking users. The malware employs advanced evasion techniques such as process injection, DLL sideloading, junk code insertion, memory and process checks, and fileless execution via Donut-generated shellcode. It establishes persistence through registry modifications and enables remote access for attackers. Detection volumes have increased significantly since May 2025, nearly doubling in 2026. No specific software versions are affected, and no official patches or fixes are available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LevelBlue's analysis reveals two distinct ValleyRAT infection campaigns: one leveraging fake installers primarily targeting Chinese-speaking users with advanced techniques like Pool Party Variant 7 process injection and BYOVD methods; the other using malicious emails delivering ZIP archives containing EXE and DLL files that exploit DLL sideloading, targeting Chinese and Japanese-speaking users. The malware uses multiple evasion tactics including junk code insertion, memory size and process count checks, sleeping duration checks, and fileless execution via Donut shellcode. Persistence is achieved through registry modifications, enabling remote access capabilities for the SilverFox adversary group. Detection volumes have risen sharply from May 2025 through 2026. There are no known exploits in the wild beyond these campaigns, no CVE identifiers, and no patches or vendor advisories indicating remediation.
Potential Impact
ValleyRAT enables remote access to infected systems, allowing threat actors to maintain persistence and potentially conduct further malicious activities. The malware's advanced evasion techniques complicate detection and analysis. The campaigns target Chinese and Japanese-speaking users, increasing risk in those linguistic regions. The increased detection volume indicates growing activity and potential spread. However, no known exploits beyond these campaigns have been reported, and no specific vulnerable software versions are identified.
Mitigation Recommendations
No official patches or fixes are available for ValleyRAT infections. Mitigation should focus on user awareness to avoid fake installers and phishing emails, especially in Chinese and Japanese-speaking environments. Security teams should monitor for indicators of compromise such as the provided IP addresses, domains, hashes, and URLs. Employing endpoint detection solutions capable of identifying process injection, DLL sideloading, and fileless execution techniques may help detect and block infections. Since this is malware rather than a software vulnerability, remediation involves incident response and malware removal rather than patching.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/an-analysis-of-valleyrat-infection-campaigns-from-fake-installers-japanese-malicious-emails"]
- Adversary
- SilverFox
- Pulse Id
- 6a446c5df8b0ab9d5af62b64
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip154.92.16.22 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainfrehf.oss-cn-hongkong.aliyuncs.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashe8be03f19ada1f5cec74b143e21d4939e781671d | — | |
hash65168c8dd93b16d3b77092fb70c0fa6fba4dffcc | — | |
hasheca7ed7b699835fadc2c2997a2845864e02b8dfe | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://154.92.16.22/xz.bin | — |
Threat ID: 6a44bffa27e9c7971923ca9a
Added to database: 07/01/2026, 07:21:30 UTC
Last enriched: 07/01/2026, 07:36:20 UTC
Last updated: 07/01/2026, 10:57:46 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.