A new wave of attacks is using the ValleyRAT_S2 malware to quietly break into organizations, stay hidden for long periods, and steal sensitive financial information.<\/p>\n
ValleyRAT_S2 is the second-stage payload of the ValleyRAT family and is written in C++. Once inside a network, it behaves like a full remote access trojan, giving attackers strong control over infected systems and a reliable way to move data out.<\/p>\n
The current campaign<\/a> spreads mainly through fake Chinese-language productivity tools, cracked software, and trojanized installers that pose as AI-based spreadsheet generators.<\/p>\n In many cases, the malware is delivered through DLL side\u2011loading<\/a>, where a legitimate signed application is tricked into loading a malicious DLL named like a normal library, such as steam_api64.dll.<\/p>\n After tracking these operations, APOPHiS identified ValleyRAT_S2 as the core second-stage backdoor driving these intrusions.<\/p>\n The malware also arrives through spearphishing<\/a> attachments and abused software update channels.<\/p>\n Malicious documents and archives drop payloads into locations like the Temp folder, for example:-<\/p>\n C:UsersAdminAppDataLocalTempAI\u81ea\u52a8\u5316\u529e\u516c\u8868\u683c\u5236\u4f5c\u751f\u6210\u5de5\u5177\u5b89\u88c5\u5305steam_api64.dll.<\/p>\n From there, Stage 1 focuses on evasion, while ValleyRAT_S2 takes over long-term control, system discovery, credential theft<\/a>, and financial data collection.<\/p>\n Once active, ValleyRAT_S2 scans processes, file systems, and registry keys, then reaches out to hardcoded command\u2011and\u2011control servers such as 27.124.3.175:14852 over a custom TCP protocol. It can upload and download files, run shell commands, inject payloads, and capture keystrokes.<\/p>\n This makes it well-suited for harvesting online banking credentials, payment data, and internal financial documents.<\/p>\n One of the most dangerous parts of ValleyRAT_S2 is its layered persistence and watchdog design, which helps it survive reboots and manual cleanup.<\/p>\n The malware first stages files in the user\u2019s Temp and AppData paths, creating markers such as %TEMP%target.pid and configuration paths under %APPDATA%PromotionsTemp.aps.<\/p>\n It also abuses Windows Task Scheduler through COM APIs to re\u2011run itself on startup, and may use registry run keys for backup startup paths.<\/p>\n A key feature is a generated batch script, monitor.bat, which acts as a watchdog loop.<\/p>\n The script reads the stored process ID from target.pid, checks if the main malware process is still running, and silently restarts it if needed.<\/p>\n A simplified version looks like this:-<\/p>\n This loop allows ValleyRAT_S2 to recover if security tools or admins kill the main process. Combined with structured exception handling, sandbox checks, and process injection into trusted names like Telegra.exe and WhatsApp.exe, the malware maintains a quiet but strong presence.<\/p>\n For defenders, this means simple process killing is not enough; full removal must target the scheduled tasks, batch and VBS<\/a> watchdog scripts, staged files, and the backdoor process all at once.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post ValleyRAT_S2 Attacking Organizations to Deploy Stealthy Malware and Extract Financial Details<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"File](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiLtVr88hjvJJ_ysFiBZtx6nJdhH1hO-mVPWgZP2rMjeYiFZhSrTHmD38it0E4_04rGigQuO-xh8z85oN0qRIXkx4nZat_GjG1YTfT7YCeeUIKVTBnKUjH3PZax8MkA3IQ4z3yWIHnNTzZbJna1KM5L7gAS-dYShzUePcPdohMLeCOqLLxB-5H9GJ__2x8\/s16000\/File%2520info%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
Persistence and watchdog behavior<\/strong><\/h2>\n
![\"Legitimate-looking](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEicK6WXIHSx05wA7dQJcyw1wPCECSo6DRTdJin7lyDxrR70-sMRv2CrZwGj1zVWmJXSPSVNlN3p9VmekzdK_sgyoDO0f0pmDBbG_A5wYe26LfT4rTntHU6iDpdO0LE1DPeSLhKfQJ68b2GmAbZ6hzwoG_wmqN-kHVb9sv-JTaJh9rC2QfYtmbjLnNIMr4c\/s16000\/Legitimate-looking%2520process%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
@echo off\nset \"PIDFile=%TEMP%target.pid\"\nset \/p pid=<\"%PIDFile%\"\ndel \"%PIDFile%\"\n:check\ntasklist \/fi \"PID eq %pid%\" | findstr >nul\nif errorlevel 1 (\n cscript \/\/nologo \"%TEMP%watch.vbs\"\n exit\n)\ntimeout \/t 15 >nul\ngoto check<\/code><\/pre>\n