Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

ValleyRAT Malware Enhanced with New Threats

June 11, 2024
Reading Time: 3 mins read
in Alerts
ValleyRAT Malware Enhanced with New Threats

Cybersecurity researchers have uncovered an updated version of the malware called ValleyRAT, which is being distributed as part of a new campaign. According to Zscaler ThreatLabz researchers, the latest version of ValleyRAT introduces new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs. Previously documented by QiAnXin and Proofpoint in 2023, ValleyRAT has been linked to a phishing campaign targeting Chinese-speaking users and Japanese organizations, distributing various malware families such as Purple Fox and Sainbox RAT (aka FatalRAT).

ValleyRAT is attributed to a China-based threat actor, with capabilities to harvest sensitive information and drop additional payloads onto compromised hosts. The infection starts with a downloader that uses an HTTP File Server (HFS) to fetch a file named “NTUSER.DXM,” which is decoded to extract a DLL file responsible for downloading “client.exe” from the same server. The decrypted DLL detects and terminates anti-malware solutions from Qihoo 360 and WinRAR to evade analysis, then retrieves three more files – “WINWORD2013.EXE,” “wwlib.dll,” and “xig.ppt” – from the HFS server.

The malware proceeds by launching “WINWORD2013.EXE,” a legitimate executable associated with Microsoft Word, using it to sideload “wwlib.dll” that establishes persistence on the system and loads “xig.ppt” into memory. From this point, the decrypted “xig.ppt” decrypts and injects shellcode into “svchost.exe,” creating it as a suspended process, allocating memory, and writing shellcode within it. The shellcode contains configuration to contact a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file.

ValleyRAT utilizes a convoluted multi-stage process to infect a system with the final payload that performs most of the malicious operations. This staged approach, combined with DLL side-loading, is designed to evade host-based security solutions such as EDRs and anti-virus applications. The development comes as Fortinet FortiGuard Labs uncovered a separate phishing campaign targeting Spanish-speaking individuals with an updated version of the keylogger and information stealer Agent Tesla, highlighting the continuously evolving landscape of cyber threats.

Reference:

  • ValleyRAT Malware Updated with New Commands for Enhanced Threats

Tags: Cyber AlertCyber Alerts 2024Cyber RiskCyber threatJune 2024MalwareValleyRATWindowsZscaler
ADVERTISEMENT

Related Posts

Russian APT28 Deploys Outlook Backdoor

SAP S4hana Exploited Vulnerability

September 5, 2025
Russian APT28 Deploys Outlook Backdoor

Virustotal Finds Undetected SVG Files

September 5, 2025
Russian APT28 Deploys Outlook Backdoor

Russian APT28 Deploys Outlook Backdoor

September 5, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

Lazarus Hackers Exploit ZeroDay, Deploy Rats

September 4, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

CISA Flags TP Link Router Flaws

September 4, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

September 4, 2025

Latest Alerts

SAP S4hana Exploited Vulnerability

Virustotal Finds Undetected SVG Files

Russian APT28 Deploys Outlook Backdoor

CISA Flags TP Link Router Flaws

Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

Subscribe to our newsletter

    Latest Incidents

    North Korean Hackers Fake Interviews

    Bridgestone Confirms Cyberattack

    Cybersecurity Firms Hit By Breach

    Salesloft Drift Attacks Hits Vendors

    Jaguar Land Rover Hit By Cyber Incident

    Hackers Use Grok Ai To Spread Malware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial