Chinese-Language Malware Operations Exposed Through GoLoader, ValleyRAT, and FUD Crypt
Researchers uncovered multiple malware operations using scalable builder and crypting infrastructure to deliver remote-access trojans and evade detection. Breakglass Intelligence found two unauthenticated GoLoader builder panels that had produced 468,349 polymorphic samples across 71 active tasks, while leaking Alibaba Cloud OSS credentials tied to a public bucket containing LNK droppers, polymorphic VBS scripts, steganographic PNG carriers, .NET loaders, and RAT payloads. The reconstructed infection chain ended with njRAT, and reversing its custom AES-256-ECB configuration revealed the C2 laohe1[.]myvnc[.]com:5000, overlapping with infrastructure previously associated with XWorm. The campaign was assessed with moderate confidence as operated by a Chinese-speaking actor using Simplified Chinese cryptocurrency lures.
A separate Breakglass report linked ValleyRAT samples targeting Chinese-speaking users to a campaign that blended long-lived Hong Kong infrastructure with a likely compromised UK academic relay. One sample connected to 103.215.77[.]17:4488, a Hong Kong-hosted server linked to dozens of related malware submissions, while another Rust loader masquerading as Microsoft OneDrive Sync Engine decrypted and loaded a ValleyRAT core DLL after sandbox checks; its stage-two C2 used a govroam.cf.ac[.]uk hostname resolving into Cardiff University space, suggesting temporary relay use through a compromised GovRoam-connected endpoint. In parallel, researchers analyzing the FUD Crypt malware-as-a-service platform found it packaged Windows malware with persistence, C2, and evasion features, tracked 200 registered users and 334 confirmed builds, and documented abuse of Microsoft Azure Trusted Signing to produce Microsoft-rooted Authenticode signatures for malicious binaries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Cardiff University GovRoam host identified as temporary ValleyRAT relay
Researchers found that a ValleyRAT stage-two C2 used the hostname v52-83fbf297.govroam.cf.ac.uk, resolving to Cardiff University IP space, indicating a compromised GovRoam-connected endpoint was likely used as a temporary relay. The report assessed the campaign as combining persistent Hong Kong infrastructure with disposable academic relay infrastructure in the UK.
Researchers identify live Hong Kong ValleyRAT C2 infrastructure
Analysis of one ValleyRAT sample showed it communicating with the live Hong Kong IP 103.215.77.17:4488, hosted by LANLIAN INTERNATIONAL HOLDING GROUP LIMITED and exposing WinRM on port 5985. VirusTotal linked the infrastructure to more than 78 related malware samples.
MalwareBazaar receives two ValleyRAT-related samples
In April 2026, two malware samples associated with the same ValleyRAT campaign family were uploaded to MalwareBazaar. The samples targeted Chinese-speaking users via trojanized software and included a KCP-based C2 module and a Rust loader posing as "Microsoft OneDrive Sync Engine."
Researchers decrypt njRAT config and link infrastructure to XWorm operator
By reversing the .NET loader and deriving the AES password from the Mutex field, researchers decrypted an njRAT configuration pointing to laohe1.myvnc.com on port 5000. They linked this to a six-node "laohe" DDNS cluster overlapping previously reported XWorm infrastructure and assessed the operator with moderate confidence as a Chinese-speaking actor targeting cryptocurrency investors.
Alibaba OSS bucket leak reveals GoLoader payload chain and lures
The same GoLoader infrastructure exposed identical Alibaba Cloud OSS credentials for a publicly listable Hong Kong bucket named "jpginfo" containing 652 files totaling 867 MB. The bucket held LNK droppers, polymorphic VBS scripts, steganographic PNG carriers, RAT payloads, and Chinese-language cryptocurrency lures, enabling reconstruction of a five-stage infection chain.
GoLoader builder panels expose unauthenticated malware generation APIs
Researchers identified two unauthenticated GoLoader builder panels at 121.127.246.86:8081 and 118.107.6.148:8081 that exposed full API access. By April 20, 2026, the panels had generated 468,349 unique polymorphic malware samples across 71 active tasks.
Researchers publish analysis of FUD Crypt malware service
Ctrl-Alt-Intel published a technical analysis describing FUD Crypt as a malware-as-a-service platform that packaged uploaded executables with persistence, C2, evasion features, and Microsoft-signed binaries. The report documented its infrastructure, pricing tiers, and operational scale.
Researchers report four abused Azure Trusted Signing accounts to Microsoft
Before publishing their findings on FUD Crypt, researchers reported the four identified Azure Trusted Signing accounts used to sign malicious binaries to Microsoft's MSRC. The report does not specify the exact date of the notification.
Breakglass documents SilverFox RAT disguised as Trend Micro installer
Breakglass Intelligence analyzed a SilverFox campaign sample uploaded to MalwareBazaar on 2026-03-16 that impersonated a Trend Micro Titanium installer and used a Chinese-language disciplinary-investigation lure. The x86-64 RAT employed custom VM-based obfuscation, anti-debugging and anti-VM checks, in-memory payload decryption, process injection, and Windows MSRPC for command-and-control traffic.
Breakglass exposes five-stage DonutLoader campaign via fake Adobe storefront
Breakglass Intelligence published analysis of a five-stage malware chain delivered through the fake Adobe Creative Cloud reseller site adobevault.top, using a PowerShell dropper, Donut shellcode, privilege escalation, svchost.exe injection, and a final infostealer. The report linked the delivery and payload servers through a shared SSH ECDSA host key, recovered decryption keys for both Donut stages and the infostealer, and assessed the operation as a likely Chinese-nexus malware-as-a-service campaign with medium confidence.
Breakglass analyzes ValleyRAT variant E BYOVD infection chain
Breakglass Intelligence documented a fresh ValleyRAT Win64/Valley.E campaign build assembled on 2026-03-13, delivered via a 32-bit DLL loader masquerading as SQL3.DLL that decrypted a 64-bit dropper and launched a RAT posing as conhost.exe. The report detailed BYOVD and privilege-escalation behavior including disabling Microsoft's vulnerable driver blocklist, loading a DiskDump kernel driver, bypassing UAC, establishing persistence, and using Hong Kong-linked infrastructure with C2 address 103.210.238.29.
FUD Crypt operates malware crypting service with Azure-signed payloads
Over at least the 38 days preceding publication, the FUD Crypt malware-as-a-service platform at fudcrypt.net allowed customers to upload Windows executables and receive polymorphic malware bundles with persistence, command-and-control, and Microsoft-rooted Authenticode signatures via abused Azure Trusted Signing accounts. Researchers recovered evidence of 200 registered users, 334 confirmed builds, 2,093 fleet commands, and 32 compromised machines tied to the service.
Breakglass publishes initial analysis of GoLoader loader-as-a-service
Breakglass Intelligence reported that the Go-based GoLoader framework had operated for more than two years and delivered at least seven malware families including Vidar, StealC, SmokeLoader, Rhadamanthys, LummaStealer, RemcosRAT, and ValleyRAT. The report detailed its DLL sideloading tradecraft, multi-version evolution, custom encryption, historical infrastructure, and released detection artifacts such as YARA rules and hashes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
ValleyRAT: A Chinese APT's Rust Loader, a Cardiff University GovRoam Relay, and a Hong Kong C2 With a Gmail Abuse Contact - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceGoLoader at Industrial Scale: Two Unauthenticated Builder Panels, 468K Polymorphic Samples, Steganographic .NET Loaders, and a Cracked njRAT Config Pointing to a Chinese XWorm Operator - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceHackers Use FUD Crypt to Generate Microsoft-Signed Malware With Built-In Persistence and C2
cybersecuritynews.com
Open sourceDissecting FudCrypt: A Real-World Malware Crypting Service Analysis - Ctrl-Alt-Intel
ctrlaltintel.com
Open sourceUnmasked: A 5-Stage DonutLoader Campaign Hiding Behind a Fake Adobe Storefront - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSilverFox Deploys VM-Obfuscated RAT with ChaCha20 Encryption and RPC-Based C2 Disguised as Trend Micro - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceValleyRAT (Win64/Valley.E) - Multi-Stage BYOVD RAT with Kernel Driver - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceGoLoader LaaS: A Two-Year-Old Go-Based Loader-as-a-Service Framework Delivering 7+ Malware Families via DLL Sideloading - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SilverFox Expands ValleyRAT and Gh0stRAT Campaigns Against Chinese-Speaking Targets
Breakglass Intelligence linked multiple March and April malware waves to the **SilverFox** threat actor, describing a broad Chinese-language campaign built around **ValleyRAT** on the `Winos4.0` framework and supported by **Gh0stRAT** and **RustyStealer**. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into `C:\WeChat\`, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America. The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to **22 to 75 command-and-control endpoints** and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the `codemark` builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as `TEDDY2012`, and domain registration details that appeared to expose operator identity. Separate reporting also described a related **Gh0stRAT/Farfli** "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.
Apr 25, 2026
Multi-stage malware campaigns using fileless loaders, RATs, and evasion techniques
Multiple reports detail **distinct, unrelated malware families and delivery chains** rather than a single shared incident. One analysis covers **NotOpenClaw**, a Windows malware loader distributed via **fake “OpenClaw” installers** (including GitHub-hosted lures) and emphasizing **VM/sandbox evasion**; the sample analyzed was tagged with stealer-related indicators (e.g., VidarStealer) and was previously referenced in third-party reporting about fake OpenClaw installers deploying additional malware. Separate research describes two different fileless/backdoor operations: **HellsUchecker**, a small native x64 backdoor delivered through a **10-stage chain** beginning with a **ClickFix** fake Cloudflare CAPTCHA that tricks users into pasting an obfuscated Run command, using a LOLBin to fetch payloads over **finger (TCP/79)** and retrieving encrypted C2 configuration from a **BNB Smart Chain** smart contract ("EtherHiding"), culminating in an **in-memory** final payload using **Hell’s Gate** direct syscalls; and **GhostWeaver**, a **fileless PowerShell RAT** that selects persistence based on the installed AV product, uses **TLS over TCP/25658**, and relies on multiple **DGA** routines for delivery and C2. A separate brief reports the **VOID#GEIST** campaign delivering **XWorm**, **AsyncRAT**, and **Xeno RAT** via phishing, batch scripts from **TryCloudflare** domains, staged ZIP payloads, Python-based decryption/execution, and abuse of `AppInstallerPythonRedirector.exe` to facilitate additional RAT deployment.
Mar 21, 2026
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Mar 21, 2026