Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT

Sep 20, 2023THNMalware Attack / Cyber Threat

ValleyRAT and Gh0st RAT

Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan called ValleyRAT.

“Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity,” enterprise security firm Proofpoint said in a report shared with The Hacker News.

The activity, observed since early 2023, entails sending email messages containing URLs pointing to compressed executables that are responsible for installing the malware. Other infection chains have been found to leverage Microsoft Excel and PDF attachments that embed these URLs to trigger malicious activity.


These campaigns demonstrate variation in the use of infrastructure, sender domains, email content, targeting, and payloads, indicating that different threat clusters are mounting the attacks.

Over 30 such campaigns have been detected in 2023 that employ malware typically associated with Chinese cybercrime activity. Since April 2023, no less than 20 of those campaigns are said to have delivered Sainbox, a variant of the Gh0st RAT trojan that’s also known as FatalRAT.

Proofpoint said it identified at least three other campaigns delivering the Purple Fox malware and six additional campaigns propagating a nascent strain of malware dubbed ValleyRAT, the latter of which commenced on March 21, 2023.

ValleyRAT, first documented by Chinese cybersecurity firm Qi An Xin in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) sent from a remote server and enumerating running processes, among others.


Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

While Gh0st RAT has been widely used in various cyber campaigns linked to China over the years, the emergence of ValleyRAT suggests it could be widely deployed in the future.

“The increase in Chinese language malware activity indicates an expansion of the Chinese malware ecosystem, either through increased availability or ease of access to payloads and target lists, as well as potentially increased activity by Chinese speaking cybercrime operators,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.