A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers


FortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers. This malware has historically targeted e-commerce, finance, sales, and management enterprises.

ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage. Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, significantly reducing its file footprint in the victim’s system. This blog provides a technical analysis of this campaign.

Read more…
Source: Fortinet


Sign up for our Newsletter


Related:

  • Potential Backdoor Embedded in Contec Health CMS8000 Patient Monitor Firmware

    January 31, 2025

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a medical product advisory for the Contec Health CMS8000 Patient Monitor to address one critical and two high severity vulnerabilities. The Contec CMS8000 is a patient monitor used to display real-time information such as the vital signs of a patient, including temperature, heartbeat, and blood pressure. ...

  • TeamViewer Releases Security Updates for Privilege Escalation Vulnerability

    January 31, 2025

    TeamViewer has released a security advisory addressing a new vulnerability within the TeamViewer Remote Windows Clients. TeamViewer is a popular remote access and control software. CVE-2025-0065 is an ‘improper neutralization of argument delimiters in a command’ vulnerability with a CVSSv3 score of 7.8. An unprivileged attacker with local Windows access could use this flaw to elevate ...

  • One policy to rule them all

    January 31, 2025

    Windows group policies are a powerful management tool that allows administrators to define and control user and computer settings within a domain environment in a centralized manner. While group policies offer functionality and utility, they are unfortunately a prime target for attackers. In particular, attackers are increasingly using group policies to distribute malware, execute hidden scripts ...

  • Ukraine’s defense intel launches cyber attack on Gazprom

    January 31, 2025

    On the anniversary of the Battle of Kruty, a cyber unit of Ukraine’s Main Intelligence Directorate launched a DDoS attack on the digital infrastructure of Russia’s Gazprom and Gazpromneft. In particular, Ukrainian cyber professionals attacked the online services of the enterprises that support the activities of the Russian army. From January 28, 2025, company clients were ...

  • Tata Technologies says ransomware attack hit IT assets

    January 31, 2025

    Tata Technologies, a technology and product engineering service company owned by Indian conglomerate Tata Group, has disclosed a ransomware attack that has forced it to suspend some of its services. The Pune-headquartered company said Friday that the incident affected “a few of our IT assets” while its client delivery services “remained fully functional and unaffected throughout.” ...

  • Coyote Banking Trojan: A Stealthy Attack via LNK Files

    January 30, 2025

    Over the past month, FortiGuard Labs has identified several similar LNK files containing PowerShell commands designed to execute malicious scripts and connect to remote servers. These files are part of multi-stage operations that ultimately deliver the Coyote Banking Trojan. This malware primarily targets users in Brazil, seeking to harvest sensitive information from over 70 financial applications ...