A new wave of attacks is using the ValleyRAT_S2 malware to quietly break into organizations, stay hidden for long periods, and steal sensitive financial information.
ValleyRAT_S2 is the second-stage payload of the ValleyRAT family and is written in C++. Once inside a network, it behaves like a full remote access trojan, giving attackers strong control over infected systems and a reliable way to move data out.
The current campaign spreads mainly through fake Chinese-language productivity tools, cracked software, and trojanized installers that pose as AI-based spreadsheet generators.
In many cases, the malware is delivered through DLL side‑loading, where a legitimate signed application is tricked into loading a malicious DLL named like a normal library, such as steam_api64.dll.
After tracking these operations, APOPHiS identified ValleyRAT_S2 as the core second-stage backdoor driving these intrusions.
The malware also arrives through spearphishing attachments and abused software update channels.
Malicious documents and archives drop payloads into locations like the Temp folder, for example:-
C:UsersAdminAppDataLocalTempAI自动化办公表格制作生成工具安装包steam_api64.dll.
From there, Stage 1 focuses on evasion, while ValleyRAT_S2 takes over long-term control, system discovery, credential theft, and financial data collection.
.webp "ValleyRAT_S2 Attacking Organizations to Deploy Stealthy Malware and Extract Financial Details 3")
Once active, ValleyRAT_S2 scans processes, file systems, and registry keys, then reaches out to hardcoded command‑and‑control servers such as 27.124.3.175:14852 over a custom TCP protocol. It can upload and download files, run shell commands, inject payloads, and capture keystrokes.
This makes it well-suited for harvesting online banking credentials, payment data, and internal financial documents.
Persistence and watchdog behavior
One of the most dangerous parts of ValleyRAT_S2 is its layered persistence and watchdog design, which helps it survive reboots and manual cleanup.
The malware first stages files in the user’s Temp and AppData paths, creating markers such as %TEMP%target.pid and configuration paths under %APPDATA%PromotionsTemp.aps.
It also abuses Windows Task Scheduler through COM APIs to re‑run itself on startup, and may use registry run keys for backup startup paths.
.webp "ValleyRAT_S2 Attacking Organizations to Deploy Stealthy Malware and Extract Financial Details 4")
A key feature is a generated batch script, monitor.bat, which acts as a watchdog loop.
The script reads the stored process ID from target.pid, checks if the main malware process is still running, and silently restarts it if needed.
A simplified version looks like this:-
@echo off
set "PIDFile=%TEMP%target.pid"
set /p pid=<"%PIDFile%"
del "%PIDFile%"
:check
tasklist /fi "PID eq %pid%" | findstr >nul
if errorlevel 1 (
cscript //nologo "%TEMP%watch.vbs"
exit
)
timeout /t 15 >nul
goto checkThis loop allows ValleyRAT_S2 to recover if security tools or admins kill the main process. Combined with structured exception handling, sandbox checks, and process injection into trusted names like Telegra.exe and WhatsApp.exe, the malware maintains a quiet but strong presence.
For defenders, this means simple process killing is not enough; full removal must target the scheduled tasks, batch and VBS watchdog scripts, staged files, and the backdoor process all at once.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
