{ "type": "Domain", "indicator": "anizom.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/anizom.com", "alexa": "http://www.alexa.com/siteinfo/anizom.com", "indicator": "anizom.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4033639948, "indicator": "anizom.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "67a3903aa8b6a07a5de7b593", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection chain begins with a fake Chrome browser download, followed by the execution of a Setup.exe file that downloads additional components. The malware employs DLL side-loading, process injection, and anti-VM techniques to evade detection. It includes features such as keylogging, screen monitoring, and persistence mechanisms. ValleyRAT communicates with command and control servers and can execute various commands, including dropping and executing files, setting startup configurations, and manipulating processes.", "modified": "2025-03-07T16:00:12.175000", "created": "2025-02-05T16:22:18.628000", "tags": [ "keylogger", "ghostrat", "persistence", "c2 communication", "phishing", "silver fox apt", "valleyrat", "anti-vm", "dll side-loading" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "Silver Fox APT", "targeted_countries": [], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "GhostRAT", "display_name": "GhostRAT", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808e398ae21a51fff42da1b", "name": "ValleyRAT Malware and the Evolving Landscape of Ransomware Threats", "description": "", "modified": "2025-04-23T12:56:55.861000", "created": "2025-04-23T12:56:55.861000", "tags": [ "strong", "valleyrat", "morphisec", "gh0strat", "ransomware", "learn", "efficiency", "trend micro", "arctic wolf", "threat labs", "defense", "bank", "fortune", "malware", "first", "cloudy", "stop" ], "references": [ "https://www.morphisec.com/blog/valleyrat-malware-and-the-evolving-landscape-of-ransomware-threats/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kashinatht", "id": "322549", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a6e6d49c73723905d6b81a", "name": "ValleyRAT Malware Spreads via Fake Chrome Installers, Targeting Finance and Corporate Sectors", "description": "Cybercriminals are distributing the ValleyRAT trojan through fake Google Chrome installer websites, primarily targeting Chinese-speaking regions and high-value roles in finance, accounting, and sales. The malware is delivered via drive-by downloads, using DLL side-loading with a legitimate Douyin executable to evade detection. Researchers have linked this campaign to previous Gh0st RAT infections, while Sophos has also uncovered SVG-based phishing attacks spreading keystroke loggers like Nymeria.", "modified": "2025-03-10T04:01:51.595000", "created": "2025-02-08T05:08:36.050000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "valleyrat", "gh0st rat", "google chrome", "bogus", "silver fox", "hong kong", "taiwan", "mainland china", "shmuel uzan", "purple fox", "nymeria", "twitter", "gh0st", "morphisec", "pe file", "ghostrat plays", "effective hide", "monitor", "keylogger", "vmware", "client", "amtd", "rats", "tencent", "steam", "downloader", "beizhu" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gh0st", "display_name": "Gh0st", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 10, "domain": 2, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "446 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a5c5a34934add2df680254", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "Morphisec Threat Labs \u53d1\u73b0\u4e00\u8d77\u590d\u6742\u7684\u591a\u9636\u6bb5\u653b\u51fb\uff0c\u6700\u7ec8\u690d\u5165 ValleyRAT \u6076\u610f\u8f6f\u4ef6\uff0c\u8be5\u540e\u95e8\u7a0b\u5e8f\u4e0e Silver Fox APT \u7ec4\u7ec7\u6709\u5173\u3002\n\n\u653b\u51fb\u8005\u4e3b\u8981\u5229\u7528 \u9493\u9c7c\u90ae\u4ef6\u3001\u6076\u610f\u7f51\u7ad9\u548c\u5373\u65f6\u901a\u8baf\u5e73\u53f0 \u4f20\u64ad \u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08RAT\uff09\uff0c\u91cd\u70b9\u9488\u5bf9 \u8d22\u52a1\u3001\u4f1a\u8ba1\u3001\u9500\u552e\u7b49\u9ad8\u4ef7\u503c\u5c97\u4f4d\uff0c\u4ee5\u7a83\u53d6\u654f\u611f\u6570\u636e\u3002\u6700\u65b0\u653b\u51fb\u4e2d\uff0c\u653b\u51fb\u8005\u4f2a\u9020\u4e86\u4e2d\u56fd\u67d0\u7535\u4fe1\u516c\u53f8\u5b98\u7f51\uff0c\u8bf1\u9a97\u53d7\u5bb3\u8005\u4e0b\u8f7d\u540d\u4e3a \u201c\u77ed\u4fe1\u56fd\u9645\u901a\u9053\u201d\uff08SMS International Channel\uff09\u7684\u6076\u610f\u8f6f\u4ef6\u3002\n\n\u611f\u67d3\u94fe\u4ece\u53d7\u5bb3\u8005\u4e0b\u8f7d \u4f2a\u88c5\u6210 Chrome \u6d4f\u89c8\u5668\u7684 Setup.zip \u5f00\u59cb\uff0c\u89e3\u538b\u540e\u8fd0\u884c Setup.exe\uff0c\u968f\u540e\u91ca\u653e\u591a\u4e2a\u6076\u610f\u6587\u4ef6\uff0c\u5305\u62ec sscronet.dll\u3001douyin.exe\u3001mpclient.dat \u548c tier0.dll\u3002\u8fd9\u4e9b\u6587\u4ef6\u5b58\u50a8\u5728 C:\\Program Files (x86)\\Common Files\\System\\ \u76ee\u5f55\u4e2d\u3002\n\nsscronet.dll \u8d1f\u8d23 DLL \u6ce8\u5165\uff0c\u5c06\u6076\u610f\u4ee3\u7801\u690d\u5165 svchost.exe\uff0c\u5e76\u521b\u5efa\u540e\u95e8\u3002\ndouyin.exe \u901a\u8fc7 DLL \u65c1\u52a0\u8f7d\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\nmpclient.dat \u5305\u542b\u52a0\u5bc6\u7684 PE \u6587\u4ef6\u548c shellcode\uff0c\u7528\u4e8e\u89e3\u5bc6\u548c\u6267\u884c\u6076\u610f\u8d1f\u8f7d\u3002\ntier0.dll \u76d1\u6d4b\u7cfb\u7edf\u8fdb\u7a0b\uff0c\u901a\u8fc7 nslookup.exe \u8fdb\u884c\u4ee3\u7801\u6ce8\u5165\uff0c\u4ee5\u7ed5\u8fc7\u68c0\u6d4b\u3002\n\u4e3b\u8981\u529f\u80fd\uff1a\n\n\u6301\u4e45\u5316\uff1a\u4fee\u6539\u6ce8\u518c\u8868 Software\\Microsoft\\Windows\\CurrentVersion\\Run\uff0c\u786e\u4fdd\u5f00\u673a\u81ea\u542f\u3002\n\u952e\u76d8\u8bb0\u5f55\uff1a\u5728 ProgramData\\sys.key \u8bb0\u5f55\u7528\u6237\u952e\u76d8\u8f93\u5165\u3002\n\u5c4f\u5e55\u76d1\u63a7\uff1a\u904d\u5386\u663e\u793a\u5668\u4fe1\u606f\uff0c\u53ef\u8fdb\u884c\u5c4f\u5e55\u6355\u83b7\u3002\n\u53cd\u865a\u62df\u673a\u68c0\u6d4b\uff1a\u8bc6\u522b VMware \u73af\u5883\uff0c\u9632\u6b62\u88ab\u5b89\u5168\u7814\u7a76\u4eba\u5458\u5206\u6790\u3002\n\u53cd\u68c0\u6d4b\u6280\u672f\uff1aHook AMSI \u548c ETW \u4ee5\u7ed5\u8fc7 Windows \u5b89\u5168\u673a\u5236\u3002\nValleyRAT \u91c7\u7528 C++ \u7f16\u5199\uff0c\u4e14\u7f16\u8bd1\u8bed\u8a00\u4e3a\u4e2d\u6587\uff0c\u663e\u793a\u51fa\u5178\u578b \u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08RAT\uff09 \u7684\u529f\u80fd\u3002\u7814\u7a76\u4eba\u5458\u5efa\u8bae \u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u9632\u62a4\uff0c\u907f\u514d\u4e0b\u8f7d\u53ef\u7591\u8f6f\u4ef6\uff0c\u5e76\u4fdd\u6301\u9632\u75c5\u6bd2\u6570\u636e\u5e93\u6700\u65b0\u3002", "modified": "2025-03-07T16:00:12.175000", "created": "2025-02-07T08:34:43.417000", "tags": [ "keylogger", "ghostrat", "persistence", "c2 communication", "phishing", "silver fox apt", "valleyrat", "anti-vm", "dll side-loading" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "Silver Fox APT", "targeted_countries": [], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "GhostRAT", "display_name": "GhostRAT", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "67a3903aa8b6a07a5de7b593", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a988733e310b60c59192c0", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "", "modified": "2025-03-07T16:00:12.175000", "created": "2025-02-10T05:02:43.329000", "tags": [ "keylogger", "ghostrat", "persistence", "c2 communication", "phishing", "silver fox apt", "valleyrat", "anti-vm", "dll side-loading" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "Silver Fox APT", "targeted_countries": [], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "GhostRAT", "display_name": "GhostRAT", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "67a3903aa8b6a07a5de7b593", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a379147fd000e45f9ec075", "name": "URLHaus data - 04-02-2025", "description": "", "modified": "2025-03-07T14:05:09.660000", "created": "2025-02-05T14:43:32.925000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "MetaStealer", "opendir", "webdav", "sh", "backdoor", "censys", "sshdkit", "hajime", "bitbucket", "CoinMiner", "exe", "rustystealer", "Formbook", "hta", "rat", "RemcosRAT", "xloader", "ValleyRAT", "ClearFake", "apk", "coper", "Octo", "Octo2", "404" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 285, "hostname": 7, "domain": 3 }, "indicator_count": 295, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a20d1ac26ab36db77bd5be", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "Morphisec Threat Labs has investigated a series of indicators of attacks leading to a sophisticated, multi-stage malware named ValleyRAT, which is frequently attributed to the Silver Fox APT.\n A look at some of the key indicators that have been used to test the stability of China's social network, and how they might affect the wider market.. and the way they are used.", "modified": "2025-03-06T12:00:18.621000", "created": "2025-02-04T12:50:34.003000", "tags": [ "compromise", "iocs", "monitor" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 9, "domain": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a2f65e497efe9ed9f12bad", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "", "modified": "2025-03-06T12:00:18.621000", "created": "2025-02-05T05:25:50.798000", "tags": [ "compromise", "iocs", "monitor" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67a20d1ac26ab36db77bd5be", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 9, "domain": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "MintsLoader_Stealc", "LegionLoader Malware Expands Global Reach", "ACR Stealer", "Silent Skimmer Gets Loud (Again)", "horns-hooves", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "CloudScout_ Evasive Panda scouting cloud services", "PUMAKIT", "SpyGlace", "SmokeLoader", "DarkGate", "play ransomware", "https://urlhaus.abuse.ch/browse/", "clickfix-tactic", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Helldown Ransomware", "Microsoft Advertisers Phished via Malicious Google Ads", "PyPI-AIOCPA", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MUT-1244-GitHub", "RansomHub Affiliate leverages Python-based backdoor", "BellaCpp", "PXA Stealer", "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/", "Stealers on the Rise", "Akira Ransomware", "Snake Keylogger", "HawkEye Malware", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Python NodeStealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "OtterCookie used by Contagious Interview", "https://threatfox.abuse.ch/export/csv/recent/", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Sock5Systemz-PROXY-AM", "bootkitty(logofail)", "Avast-Anti-Root-KIt", "Hundreds of fake Reddit sites push Lumma Stealer malware", "NOOPDOOR Malware", "Phobos ransomware", "Rockstar-Phishing", "babbleloader", "U.S. Organization in China Targeted by Attackers", "Remcos RAT", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "Winos4.0 RAT", "Rspack_Compromised_Packages", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "Cloud Atlas seen using a new tool in its attacks", "From Stealers to Ransomware PureCrypter Delivers It All", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "solana-backdoor", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "Salt Typhoon Target U.S. Telecom Networks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277", "AsyncRAT Reloaded", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "Fake game sites lead to information stealers", "Demodex rootkit", "macOS Users Targeted by the New Variant of Banshee Infostealer", "LockBit Ransomware Attack Leveraging Cobalt Strike", "MirrorFace Campain", "Christmas-Themed LNK Files Used for Malware Delivery", "Bootkitty", "Visual Studio Code Remote tunnels", "Bumblebee Malware", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "Advanced Evasion Techniques Used by NonEuclid RAT", "Threat Surge as Lumma Stealer Expands Its Reach", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "MEKOTIO BANKING TROJAN", "Qilin Ransomware", "https://www.morphisec.com/blog/valleyrat-malware-and-the-evolving-landscape-of-ransomware-threats/", "Fake Discount Sites Exploit Black Friday", "Gh0stGambit", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "WolfsBane Backdoor", "The Return of PlugX Malware with Fresh Tricks", "NetSupport RAT and BurnsRAT", "TAG-100", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "ELDORADO RANSOMWARE", "BugSleep Malware", "SystemBC RAT Poses New Risks to Linux System", "APT36", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "Espionage Campaign Targeting South Asian Entities", "MALLOX RANSOMWARE", "GamaCopy APT Group Mimicking GamaRedon", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "SteelFox Trojan", "Ransomware-Lockbit3-IOCs.csv", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "Bitter APT", "The New Ransomware Menace Vgod Gains Momentum", "UAC-0185 attacks warned by CERT-UA", "HotPage.exe (malware)", "SecTopRAT", "romcom-exploits-firefox-and-windows", "BrazenBamboo", "FatalRAT", "Glove-Stealer", "WezRat Malware", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "APT-K-47", "Shadowroot Ransomware", "NEW.txt", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "RustyStealer and New Ymir Ransomware", "Weaponized Software Targeting Chinese Organizations" ], "related": { "alienvault": { "adversary": [ "Silver Fox APT" ], "malware_families": [ "Ghostrat", "Valleyrat" ], "industries": [ "Finance" ] }, "other": { "adversary": [ "Silver Fox APT" ], "malware_families": [ "Gh0st", "Trojanspy", "Ghostrat", "Invisibleferret", "Vant", "Mekotio banking", "Msi", "Valleyrat" ], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "67a3903aa8b6a07a5de7b593", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection chain begins with a fake Chrome browser download, followed by the execution of a Setup.exe file that downloads additional components. The malware employs DLL side-loading, process injection, and anti-VM techniques to evade detection. It includes features such as keylogging, screen monitoring, and persistence mechanisms. ValleyRAT communicates with command and control servers and can execute various commands, including dropping and executing files, setting startup configurations, and manipulating processes.", "modified": "2025-03-07T16:00:12.175000", "created": "2025-02-05T16:22:18.628000", "tags": [ "keylogger", "ghostrat", "persistence", "c2 communication", "phishing", "silver fox apt", "valleyrat", "anti-vm", "dll side-loading" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "Silver Fox APT", "targeted_countries": [], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "GhostRAT", "display_name": "GhostRAT", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808e398ae21a51fff42da1b", "name": "ValleyRAT Malware and the Evolving Landscape of Ransomware Threats", "description": "", "modified": "2025-04-23T12:56:55.861000", "created": "2025-04-23T12:56:55.861000", "tags": [ "strong", "valleyrat", "morphisec", "gh0strat", "ransomware", "learn", "efficiency", "trend micro", "arctic wolf", "threat labs", "defense", "bank", "fortune", "malware", "first", "cloudy", "stop" ], "references": [ "https://www.morphisec.com/blog/valleyrat-malware-and-the-evolving-landscape-of-ransomware-threats/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kashinatht", "id": "322549", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a6e6d49c73723905d6b81a", "name": "ValleyRAT Malware Spreads via Fake Chrome Installers, Targeting Finance and Corporate Sectors", "description": "Cybercriminals are distributing the ValleyRAT trojan through fake Google Chrome installer websites, primarily targeting Chinese-speaking regions and high-value roles in finance, accounting, and sales. The malware is delivered via drive-by downloads, using DLL side-loading with a legitimate Douyin executable to evade detection. Researchers have linked this campaign to previous Gh0st RAT infections, while Sophos has also uncovered SVG-based phishing attacks spreading keystroke loggers like Nymeria.", "modified": "2025-03-10T04:01:51.595000", "created": "2025-02-08T05:08:36.050000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "valleyrat", "gh0st rat", "google chrome", "bogus", "silver fox", "hong kong", "taiwan", "mainland china", "shmuel uzan", "purple fox", "nymeria", "twitter", "gh0st", "morphisec", "pe file", "ghostrat plays", "effective hide", "monitor", "keylogger", "vmware", "client", "amtd", "rats", "tencent", "steam", "downloader", "beizhu" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gh0st", "display_name": "Gh0st", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 10, "domain": 2, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "446 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a5c5a34934add2df680254", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "Morphisec Threat Labs \u53d1\u73b0\u4e00\u8d77\u590d\u6742\u7684\u591a\u9636\u6bb5\u653b\u51fb\uff0c\u6700\u7ec8\u690d\u5165 ValleyRAT \u6076\u610f\u8f6f\u4ef6\uff0c\u8be5\u540e\u95e8\u7a0b\u5e8f\u4e0e Silver Fox APT \u7ec4\u7ec7\u6709\u5173\u3002\n\n\u653b\u51fb\u8005\u4e3b\u8981\u5229\u7528 \u9493\u9c7c\u90ae\u4ef6\u3001\u6076\u610f\u7f51\u7ad9\u548c\u5373\u65f6\u901a\u8baf\u5e73\u53f0 \u4f20\u64ad \u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08RAT\uff09\uff0c\u91cd\u70b9\u9488\u5bf9 \u8d22\u52a1\u3001\u4f1a\u8ba1\u3001\u9500\u552e\u7b49\u9ad8\u4ef7\u503c\u5c97\u4f4d\uff0c\u4ee5\u7a83\u53d6\u654f\u611f\u6570\u636e\u3002\u6700\u65b0\u653b\u51fb\u4e2d\uff0c\u653b\u51fb\u8005\u4f2a\u9020\u4e86\u4e2d\u56fd\u67d0\u7535\u4fe1\u516c\u53f8\u5b98\u7f51\uff0c\u8bf1\u9a97\u53d7\u5bb3\u8005\u4e0b\u8f7d\u540d\u4e3a \u201c\u77ed\u4fe1\u56fd\u9645\u901a\u9053\u201d\uff08SMS International Channel\uff09\u7684\u6076\u610f\u8f6f\u4ef6\u3002\n\n\u611f\u67d3\u94fe\u4ece\u53d7\u5bb3\u8005\u4e0b\u8f7d \u4f2a\u88c5\u6210 Chrome \u6d4f\u89c8\u5668\u7684 Setup.zip \u5f00\u59cb\uff0c\u89e3\u538b\u540e\u8fd0\u884c Setup.exe\uff0c\u968f\u540e\u91ca\u653e\u591a\u4e2a\u6076\u610f\u6587\u4ef6\uff0c\u5305\u62ec sscronet.dll\u3001douyin.exe\u3001mpclient.dat \u548c tier0.dll\u3002\u8fd9\u4e9b\u6587\u4ef6\u5b58\u50a8\u5728 C:\\Program Files (x86)\\Common Files\\System\\ \u76ee\u5f55\u4e2d\u3002\n\nsscronet.dll \u8d1f\u8d23 DLL \u6ce8\u5165\uff0c\u5c06\u6076\u610f\u4ee3\u7801\u690d\u5165 svchost.exe\uff0c\u5e76\u521b\u5efa\u540e\u95e8\u3002\ndouyin.exe \u901a\u8fc7 DLL \u65c1\u52a0\u8f7d\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\nmpclient.dat \u5305\u542b\u52a0\u5bc6\u7684 PE \u6587\u4ef6\u548c shellcode\uff0c\u7528\u4e8e\u89e3\u5bc6\u548c\u6267\u884c\u6076\u610f\u8d1f\u8f7d\u3002\ntier0.dll \u76d1\u6d4b\u7cfb\u7edf\u8fdb\u7a0b\uff0c\u901a\u8fc7 nslookup.exe \u8fdb\u884c\u4ee3\u7801\u6ce8\u5165\uff0c\u4ee5\u7ed5\u8fc7\u68c0\u6d4b\u3002\n\u4e3b\u8981\u529f\u80fd\uff1a\n\n\u6301\u4e45\u5316\uff1a\u4fee\u6539\u6ce8\u518c\u8868 Software\\Microsoft\\Windows\\CurrentVersion\\Run\uff0c\u786e\u4fdd\u5f00\u673a\u81ea\u542f\u3002\n\u952e\u76d8\u8bb0\u5f55\uff1a\u5728 ProgramData\\sys.key \u8bb0\u5f55\u7528\u6237\u952e\u76d8\u8f93\u5165\u3002\n\u5c4f\u5e55\u76d1\u63a7\uff1a\u904d\u5386\u663e\u793a\u5668\u4fe1\u606f\uff0c\u53ef\u8fdb\u884c\u5c4f\u5e55\u6355\u83b7\u3002\n\u53cd\u865a\u62df\u673a\u68c0\u6d4b\uff1a\u8bc6\u522b VMware \u73af\u5883\uff0c\u9632\u6b62\u88ab\u5b89\u5168\u7814\u7a76\u4eba\u5458\u5206\u6790\u3002\n\u53cd\u68c0\u6d4b\u6280\u672f\uff1aHook AMSI \u548c ETW \u4ee5\u7ed5\u8fc7 Windows \u5b89\u5168\u673a\u5236\u3002\nValleyRAT \u91c7\u7528 C++ \u7f16\u5199\uff0c\u4e14\u7f16\u8bd1\u8bed\u8a00\u4e3a\u4e2d\u6587\uff0c\u663e\u793a\u51fa\u5178\u578b \u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08RAT\uff09 \u7684\u529f\u80fd\u3002\u7814\u7a76\u4eba\u5458\u5efa\u8bae \u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u9632\u62a4\uff0c\u907f\u514d\u4e0b\u8f7d\u53ef\u7591\u8f6f\u4ef6\uff0c\u5e76\u4fdd\u6301\u9632\u75c5\u6bd2\u6570\u636e\u5e93\u6700\u65b0\u3002", "modified": "2025-03-07T16:00:12.175000", "created": "2025-02-07T08:34:43.417000", "tags": [ "keylogger", "ghostrat", "persistence", "c2 communication", "phishing", "silver fox apt", "valleyrat", "anti-vm", "dll side-loading" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "Silver Fox APT", "targeted_countries": [], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "GhostRAT", "display_name": "GhostRAT", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "67a3903aa8b6a07a5de7b593", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a988733e310b60c59192c0", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "", "modified": "2025-03-07T16:00:12.175000", "created": "2025-02-10T05:02:43.329000", "tags": [ "keylogger", "ghostrat", "persistence", "c2 communication", "phishing", "silver fox apt", "valleyrat", "anti-vm", "dll side-loading" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/" ], "public": 1, "adversary": "Silver Fox APT", "targeted_countries": [], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "GhostRAT", "display_name": "GhostRAT", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "67a3903aa8b6a07a5de7b593", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a379147fd000e45f9ec075", "name": "URLHaus data - 04-02-2025", "description": "", "modified": "2025-03-07T14:05:09.660000", "created": "2025-02-05T14:43:32.925000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "MetaStealer", "opendir", "webdav", "sh", "backdoor", "censys", "sshdkit", "hajime", "bitbucket", "CoinMiner", "exe", "rustystealer", "Formbook", "hta", "rat", "RemcosRAT", "xloader", "ValleyRAT", "ClearFake", "apk", "coper", "Octo", "Octo2", "404" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 285, "hostname": 7, "domain": 3 }, "indicator_count": 295, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a20d1ac26ab36db77bd5be", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "Morphisec Threat Labs has investigated a series of indicators of attacks leading to a sophisticated, multi-stage malware named ValleyRAT, which is frequently attributed to the Silver Fox APT.\n A look at some of the key indicators that have been used to test the stability of China's social network, and how they might affect the wider market.. and the way they are used.", "modified": "2025-03-06T12:00:18.621000", "created": "2025-02-04T12:50:34.003000", "tags": [ "compromise", "iocs", "monitor" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 9, "domain": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a2f65e497efe9ed9f12bad", "name": "Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques", "description": "", "modified": "2025-03-06T12:00:18.621000", "created": "2025-02-05T05:25:50.798000", "tags": [ "compromise", "iocs", "monitor" ], "references": [ "https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67a20d1ac26ab36db77bd5be", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 9, "domain": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "anizom.com", "stats": { "malicious": 16, "suspicious": 1, "harmless": 43, "undetected": 31, "total": 91, "verdict": "malicious", "ratio": "16/91" }, "verdict": "malicious", "ratio": "16/91", "registrar": "", "creation_date": 1732406400, "reputation": -1, "tags": [], "categories": {}, "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "Antiy-AVL", "result": "malicious", "category": "malicious" }, { "vendor": "Bfore.Ai PreCrime", "result": "malicious", "category": "malicious" }, { "vendor": "BitDefender", "result": "malware", "category": "malicious" }, { "vendor": "Chong Lua Dao", "result": "malicious", "category": "malicious" }, { "vendor": "CyRadar", "result": "phishing", "category": "malicious" }, { "vendor": "ESET", "result": "phishing", "category": "malicious" }, { "vendor": "Forcepoint ThreatSeeker", "result": "suspicious", "category": "suspicious" }, { "vendor": "Fortinet", "result": "phishing", "category": "malicious" }, { "vendor": "G-Data", "result": "malware", "category": "malicious" } ], "last_analysis": 1780177791, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "anizom.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://anizom.com/Setup.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-02-04", "tags": [ "ValleyRAT" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780185620.7068818 }