ValleyRAT_S2 Campaign Leveraging DLL Side-Loading and Custom TCP Command-and-Control
January 22nd, 2026
High
Our Cyber Threat Intelligence Unit is tracking an active malware campaign involving ValleyRAT_S2, a second-stage payload in the ValleyRAT malware family. The activity spans multiple regions, where threat actors use social engineering and trojanized software to gain initial access. Once executed, ValleyRAT_S2 operates as a full-featured remote access trojan (RAT), facilitating credential theft, keystroke logging, system reconnaissance, and persistent remote control. The campaign relies on stealthy techniques, including DLL side-loading through legitimate or masqueraded applications, and communicates with attacker-controlled infrastructure over a custom TCP protocol. Given its credential-harvesting capabilities, persistence mechanisms, and operator-driven control model, ValleyRAT_S2 poses a high risk to unmonitored or insufficiently hardened endpoint environments.
Technical Details
Threat Name: ValleyRAT_S2
Severity: High
Malware Type: Remote Access Trojan (RAT) with credential theft capability
Primary Language: C++
Attack Vectors:
Social engineering
Trojanized or cracked software installers
Phishing-delivered malicious archives
Attack Chain:
Threat actors distribute malicious content disguised as legitimate Chinese-language utilities, productivity tools, or software installers.
Initial execution loads a malicious DLL via DLL side-loading, commonly masquerading as legitimate libraries (e.g., steam_api64.dll).
The DLL decodes and launches ValleyRAT_S2 as a second-stage payload, employing obfuscation to evade static detection.
Once active, the RAT performs system discovery and establishes persistence, commonly through Task Scheduler or COM-based mechanisms.
The malware communicates with hard-coded command-and-control (C2) infrastructure using a custom TCP protocol, awaiting operator commands.
Capabilities:
System and environment enumeration
Credential harvesting (browser-stored credentials and system data)
Keystroke logging
File upload and download
Remote shell and arbitrary command execution
Process injection and manipulation
Impact
Successful execution of ValleyRAT_S2 may result in:
Persistent Remote Access: Long-term attacker control of compromised endpoints
Credential Theft: Exposure of authentication material enabling lateral movement
Data Exfiltration: Unauthorized collection of sensitive business or personal data
System Manipulation: Arbitrary command execution and malicious process injection
Operational Risk: Degraded system integrity, confidentiality, and trust
Detection Method
Organizations should monitor for the following indicators and behaviors:
Execution of signed or legitimate applications loading unexpected DLLs from non-standard directories (DLL side-loading).
Suspicious files or scripts staged in Temp or AppData paths (e.g., monitor.bat, target.pid).
Unexpected Task Scheduler or COM object creation linked to user-level applications.
Unusual child processes spawned by document viewers or installer binaries.
Outbound TCP connections to unknown or rare external IPs from user workstations.
Network traffic consistent with custom, non-HTTP TCP communication patterns.
Indicators of Compromise
Indicator (IP) | Description |
27.124.3.175:14852 | Custom TCP-based protocol used by ValleyRAT_S2 for command-and-control communications |
Recommendations
Block outbound traffic to known malicious IPs and ports, including confirmed ValleyRAT_S2 C2 infrastructure.
Enforce application allow-listing and restrict DLL loading from user-writable directories.
Deploy endpoint detection capable of identifying DLL side-loading and abnormal persistence creation.
Inspect Task Scheduler and COM registrations for unauthorized entries.
Implement phishing awareness training focused on trojanized software and installer abuse.
Ensure credential hygiene and deploy multi-factor authentication where feasible to limit post-compromise impact.
Conclusion
The ValleyRAT_S2 campaign demonstrates how threat actors continue to combine social engineering with reliable post-exploitation tooling to achieve stealthy, persistent access to enterprise environments. Its use of DLL side-loading, credential harvesting, and operator-controlled C2 communications heightens the risk of long-term compromise and secondary intrusion activity. We urge organizations to prioritize endpoint visibility, outbound traffic monitoring, and proactive threat hunting to detect and disrupt ValleyRAT_S2 activity before it escalates.