<— Back

ValleyRAT Unleashed: A Deep Dive into its Modern Arsenal and Tactics

Reported cases increased sharply from late 2024 to 2025. We observed attacks by SilverFox primarily targeting Chinese-speaking individuals in Southeast Asia and East Asia, abusing multiple legitimate software programs, including fake LINE installers, to spread ValleyRAT. Further investigation revealed that the attacks were not limited to LINE and that a variety of software programs were being exploited.

ValleyRAT was thought to be original malware exclusive to SilverFox, but source code and a builder are in circulation, and the builder was released at least as early as February 2023. As a result, as of July 2025, attacks using various execution chains are being carried out using this malware.

ValleyRAT’s attack chain is often distributed as a fake software installer using SEO poisoning or phishing emails. However, espionage-like attacks have also been reported, such as spear-phishing emails targeting businesses, such as government agency communications or invoices.

ValleyRAT uses a wide variety of tools and techniques. In this presentation, we will organize attacks using ValleyRAT observed since 2025 by the following execution chain:

– DLL side-load fake installer
– Payload embedded in the image (a.k.a. PNGPlug)
– Go-Lang
– APT-like Masquerading Loader
– Donuts

During our investigation, we discovered new patterns using WinRAR SFX and Go language loaders. We also found cases where the same export name as MustangPanda was used in DLL side-loading in ValleyRAT’s execution chain.

For each execution chain, we will analyze the targets, TTPs, and C2 infrastructure, and propose a classification of ValleyRAT’s attack campaigns. Finally, we will share hunting techniques for ValleyRAT (Winos 4.0).