ValleyRAT
ValleyRAT, also known as Winos 4.0 or Winos4.0, is a modular remote access trojan and C2 framework-derived implant tracked by Proofpoint as the payload family generated from the Winos4.0 framework. Multiple sources in the provided content describe it as a full-featured RAT with remote access capabilities, on-demand module download support, and DDoS functionality. It is also described as deriving from the legacy Gh0st RAT family, and its C2 traffic has been observed over the UDP-based Gh0stKCP protocol.
The malware is associated in the content with the Chinese-speaking, financially motivated threat cluster TA4922 and with Silver Fox (also referred to as Void Arachne / The Great Thief of Valley in one source). Proofpoint reported TA4922 using ValleyRAT to gain remote access to victim systems in campaigns targeting organizations primarily in Japan and elsewhere across East Asia, and later in the United Kingdom, Germany, Italy, South Africa, and Southeast Asia. Separate reporting links ValleyRAT/Winos4.0 to Silver Fox campaigns targeting healthcare organizations, public sector entities, and corporate users, including operations using trojanized software, phishing, SEO poisoning, compromised installers, and fake software download sites.
Observed delivery and execution methods in the content include phishing emails with tax-, invoice-, payroll-, HR-, benefits-, and compliance-themed lures; archive attachments and cloud-hosted downloads; DLL sideloading; trojanized installers; and multi-stage loaders such as RustSL. One documented campaign used fake Microsoft Teams download sites and trojanized ZIP archives, with an NSIS installer abusing Tencent GameBox.exe to sideload a malicious Utility.dll and ultimately deploy a ValleyRAT variant. Another campaign used a modified RustSL loader to download and execute ValleyRAT after tax-themed phishing against organizations in India and Russia.
Capabilities directly mentioned in the content include full remote access features; downloading additional modules on demand; DDoS support; clipboard theft; keystroke logging; activity logging; exfiltration of collected data; and use of PowerShell to add Windows Defender exclusions, including excluding the entire C:\ drive in one cited code example. ValleyRAT was also reported to enable SeDebugPrivilege. In one Teams-themed campaign, the final payload used reflective loading and invoked an exported function named load to execute a ValleyRAT module in memory. The malware stored captured keystrokes, clipboard contents, and execution status in local log files before exfiltration.
The content also describes registry and persistence artifacts associated with ValleyRAT activity. Previous variants reportedly stored encoded C2 configuration in HKCU\SOFTWARE\IpDates_info and encrypted binary data in HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e. Other reporting states ValleyRAT stored modules and configuration under HKCU:\Console\0, HKCU:\Console\1, HKCU:\Console\IpDate, and HKCU:\Software\IpDates_info. In the fake Teams installer campaign, the sideloaded Utility.dll created an auto-start service named _CCGDAT for persistence.
High-confidence infrastructure and indicators mentioned in the content include C2 IP 103.215.77.17 from the fake Teams campaign; welovechinatown[.]info as a documented Winos4.0-related C2; api[.]eth-fastscan[.]org serving a separate sample linked by researchers to WinOS 4.0 infrastructure; and a recovered ValleyRAT configuration referencing 207.56.138[.]28:6666. Filenames and module names directly mentioned include GameBox.exe, Utility.dll, user.dat, 上线模块.dll, 登录模块.dll_bin, and ValleyRAT-related modules 保86.dll and 保86.dll_bin.
Overall, the provided content consistently characterizes ValleyRAT/Winos4.0 as a modular, surveillance-capable RAT used in phishing- and trojanized-software-driven intrusion chains for remote access, data theft, fraud-enabling access, and broader post-compromise operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"It's worth noting that the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be exploited to terminate arbitrary processes."
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It sometimes tried to get targets to communicate outside of their normal work emails, and used ValleyRAT to gain remote access to their systems.
It sometimes tried to get targets to communicate outside of their normal work emails, and used ValleyRAT to gain remote access to their systems.
Our investigation revealed that the delivered payload leverages a DLL sideloading chain via a legitimate executable (GameBox.exe) developed by Tencent, ultimately deploying a ValleyRAT variant.
Analysts found infrastructure overlaps between this campaign and previous npm typosquatting attacks that distributed ValleyRAT (also known as Winos 4.0).
SHA256 Family Relation 2cb5614936ef42e52c44ebb7b758bf57fde6c7b2d68cc21a7ec94d2f0adb3435 SilverFox / Winos4.0 Qt loader (yesterday's sample) Compiled 2026-04-08; lists Alibaba Cloud HK IPs including nodes in this cluster. | A published timeline showing the operator has been running on this namespace continuously since March 2025, and that yesterday's ValleyRAT ZPAQ sample (2cb56149…) is bound to this same infrastructure cluster.
The campaign distributes ValleyRAT -- a modular remote access trojan built on the Winos4.0 framework, itself an evolution of the decade-old Gh0st RAT -- through social engineering lures tailored exclusively to Chinese-speaking victims. | At the core of every variant sits the Winos4.0 framework, a modular malware platform that evolved from the leaked Gh0st RAT source code that has circulated in Chinese underground forums since 2008.
A Japanese-language invoice campaign impersonating Rakuten dropped a ValleyRAT implant on April 16, 2026.
A Japanese-language invoice campaign impersonating Rakuten dropped a ValleyRAT implant on April 16, 2026.
The sample delivers ValleyRAT with a kernel-mode rootkit and employs a six-stage infection chain built around a legitimate zpaqfranz decompression binary used as a LOLBin, a ByteDance/TikTok elevation service binary used as a DLL sideloading host, and a vulnerable wnBios BIOS driver used via BYOVD for physical memory access.
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueSilver Fox distributes these malicious applications through various channels, including SEO poisoning campaigns, phishing emails, and compromised software installers for popular applications like Chrome, VPN clients, and AI tools.
Initial Access
5 techniquesA fake repository impersonating OpenAI’s Privacy Filter tool climbed to the top of Hugging Face’s trending list last week... Attackers cloned its documentation almost word-for-word, creating a mirror repository that looked credible enough to fool experienced developers at first glance.
Silver Fox has emerged as a significant cybersecurity concern, leveraging trojanized medical software to infiltrate healthcare organizations and public sector entities.
The attacker uses localized phishing lures crafted to appear as payroll notices, tax audits, VAT filings, government compliance notices, invoices, and human resources communications.
The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams... Once a victim clicks a link or opens an attachment, the malware silently installs itself.
A tax-themed phishing email impersonates HMRC, and a benefits-themed phishing email uses a shortened link to send recipients to download malware.
Execution
3 techniquesTo evade detection, the malware configures Windows Defender exclusions using PowerShell commands
Winos4.0 is a well-documented C2 framework... [with] Remote shell access and command execution
The attack begins with a trojanized executable, such as MediaViewerLauncher.exe, which mimics the legitimate Philips DICOM viewer software.
Persistence
2 techniquesIn the previous versions of ValleyRAT, configuration data, including the encoded C2 domain were likely written to HKCU\SOFTWARE\IpDates_info and a secondary key at HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e stores encrypted binary data likely used for malware configuration or payload staging.
Privilege Escalation
4 techniquesFollowing decryption, the loader allocates memory within the current process and writes the decrypted shellcode into it. Execution is then transferred using CreateThread, allowing the payload to run entirely in-memory.
The second stage focuses on disabling endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack, loading the TrueSightKiller driver (189atohci.sys) to terminate antivirus processes using DeviceIoControl with IOCTL 0x22e044.
Access Token Manipulation: Create Process with Token - T1134.002 5 out of 18 malware families manipulate the process token to gain greater control over other processes on the system.
Stealth
9 techniquesBoth the second stage loader and the third stage payload implement API hashing to resolve Windows API functions at runtime. Instead of storing API names in plain text, the malware computes hashes and dynamically matches them against exported functions from loaded modules.
The websites closely mimic the legitimate Microsoft Teams download page, using lookalike domains to trick users into downloading a trojanized installer packaged as a zip archive.
Following decryption, the loader allocates memory within the current process and writes the decrypted shellcode into it. Execution is then transferred using CreateThread, allowing the payload to run entirely in-memory.
The second stage focuses on disabling endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack, loading the TrueSightKiller driver (189atohci.sys) to terminate antivirus processes
During analysis, a call to SetFileAttributes was observed with the value 7 which made the copied folder hidden.
Access Token Manipulation: Create Process with Token - T1134.002 5 out of 18 malware families manipulate the process token to gain greater control over other processes on the system.
A primary shellcode payload user.dat is dropped by Installer in an AES encrypted form. During runtime, the malware performs decryption in memory before execution.
После загрузки DLL-модуль распаковывает архив с помощью методов COM... Скопировав файлы, скрипт запускает Python-модуль appclient с помощью легитимного инструмента pythonw.exe
Post decryption, the payload consists of a shellcode loader followed by a fully functional ValleyRAT module. The loader uses Reflective Loading techniques to map the PE into memory.
Defense Impairment
1 techniqueIn the previous versions of ValleyRAT, configuration data, including the encoded C2 domain were likely written to HKCU\SOFTWARE\IpDates_info and a secondary key at HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e stores encrypted binary data likely used for malware configuration or payload staging.
Credential Access
1 techniqueDiscovery
1 techniqueThe system reconnaissance phase utilizes native Windows utilities including cmd.exe, ping.exe, and ipconfig.exe to assess system properties and network connectivity.
Collection
6 techniquesThis suggests that the RAT maintains a local buffer of collected data before exfiltration to its command and control server.
The malware actively monitors user activity by accessing clipboard contents through the GetClipboardData API.
Atlas RAT has the following capabilities... Record audio and video (webcam)
Atlas RAT has the following capabilities... Record audio and video (webcam)
Upon visiting the site, users are prompted to download a compressed archive named as: 98653.2.87.teamsx.zip ...
Command and Control
6 techniquesAtlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
Using jsonkeeper[.]com (a public JSON paste service) as the C2 channel lets the attacker rotate the payload without modifying the repository.
The intricate ARQ handshake routine does, however, allow for hole punching in firewalls, aka “NAT traversal”, which enables the protocol to be used for peer-to-peer communication. This p2p-enabling property could potentially be used to relay C2 communication through one or several bots, even if those bots are behind separate NAT firewalls.
Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP... From this point on Gh0stKCP communicates using the KCP protocol, with the exception that each end transmits packets using their own conversation ID rather than a common ID.
ValleyRAT, built on the Winos4.0 framework, adds DDoS support and downloads additional modules on demand.
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
Other
1 techniqueIOCs tracked for this family
390 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
128 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ValleyRAT is a remote access trojan built on the Winos4.0 framework that supports DDoS functionality and on-demand module downloads for persistent access.
A remote access trojan in TA4922's malware arsenal.
Remote access trojan used by TA4922 to gain remote access to victim systems; described as part of the broader ValleyRAT ecosystem.
A remote access trojan used by TA4922 as part of its phishing campaigns to gain remote access to victim systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.