BREAKING: ValleyRAT Malware Exploits Legitimate Tencent GameBox via DLL Sideloading – Advanced Stealth Persistence Achieved + Video

Listen to this Post

Featured Image

Introduction:

A highly concerning malware campaign targeting Microsoft Teams users has emerged, leveraging sophisticated social engineering to deliver the ValleyRAT remote access trojan (RAT). First spotted on the X platform in mid-April 2026, this multi-stage attack abuses lookalike domains and a legitimate Tencent executable (GameBox.exe) to side-load malicious components, achieving stealth and persistence that poses a severe risk to enterprise environments. The actor utilizes a clean infection chain combining in-memory decryption, Windows Defender evasion, and comprehensive spying capabilities such as clipboard and keystroke logging to maintain long-term remote control.

Learning Objectives:

  • Understand the complete ValleyRAT infection chain, from social engineering and initial download to malicious payload deployment
  • Identify and implement defensive techniques to detect and block ValleyRAT using registry monitoring, Sysmon, EDR rules, and PowerShell scripts
  • Apply both offensive and defensive tactics, including techniques for analyzing, removing, and recovering from ValleyRAT infections

You Should Know:

  1. ValleyRAT Infection Chain Unpacked: From Fake Domain to Full Persistence

The attack begins when a user visits a lookalike domain such as teams-securecall[.]com or teamszs[.]com, which is nearly identical to the official Microsoft Teams download page. The visitor is prompted to download a ZIP archive (e.g., 98653.2.87.teamsx.zip). Upon extraction, a malicious NSIS-based installer executes, silently dropping multiple components while simultaneously installing a genuine copy of Microsoft Teams to avoid suspicion.

A key step in this chain is DLL sideloading: a legitimate executable named GameBox.exe (developed by Tencent) is abused to load a malicious DLL (utility.dll), which executes the primary ValleyRAT payload. The malware stores its final, encrypted payload as a file named user.dat and decrypts it exclusively in memory, using AES decryption in memory before execution.

Persistence is achieved by creating a service named _CCGDAT configured to start automatically on system boot. The malware also hides its presence by modifying Windows Defender settings and changing file attributes.

Follow these steps to detect and block the ValleyRAT infection chain:

Step 1: Monitor Known Malicious Domains

Add the following domains to your network blocklist:

teams-securecall[.]com, teamszs[.]com

Also block C2 IPs: 154.82.85.12:5689, 143.92.38[.]217, 206.238.221[.]165

Step 2: Hunt for Registry Modifications

ValleyRAT writes its configuration to HKCU\SOFTWARE\IpDates_info and stores encrypted C2 data under HKCU\Console\0\[Long GUID Key] and HKCU\SOFTWARE\Console\IpDateInfo. Use this PowerShell command to check for these registry keys:

Get-ChildItem -Path "HKCU:\SOFTWARE\" -Recurse | Where-Object { $<em>.PSChildName -like "IpDates_info" -or $</em>.PSChildName -like "Console" -and (Get-ItemProperty $_.PSPath).IpDateInfo }

Step 3: Hunt for Service Persistence

Search for the \_CCGDAT service:

Get-Service | Where-Object { $<em>.Name -eq "_CCGDAT" -or $</em>.DisplayName -eq "_CCGDAT" }

Step 4: Monitor Windows Defender Exclusion Abuse

ValleyRAT uses PowerShell to add exclusions for its working directory and malicious DLL:

powershell -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\client'"
powershell -Command "Add-MpPreference -ExclusionProcess 'Utility.dll'"

Use this detection script to find unauthorized exclusions:

(Get-MpPreference).ExclusionPath
(Get-MpPreference).ExclusionProcess

If you find suspicious exclusions, remove them with:

Remove-MpPreference -ExclusionPath "C:\ProgramData\client"

Step 5: Hunt for Hidden Malicious Files

ValleyRAT calls SetFileAttributes with the value 7 to make the copied folder hidden. Use this command to search for hidden files in suspicious directories:

dir /a:h C:\ProgramData\client /s

2. Deepening MITRE ATT&CK Techniques and Advanced Hunting

This campaign exhibits a wide array of MITRE ATT&CK techniques that security teams should actively hunt for. ValleyRAT’s ability to dynamically load plugins and execute in-memory shellcode after decrypting it makes traditional file-based detection nearly useless.

Employ these advanced hunting and monitoring techniques:

Step 1: Monitor LSASS and Process Injection

ValleyRAT uses process injection techniques, including Process Hollowing and DLL Injection, to hide its activity within legitimate system processes. It also uses API hashing to dynamically resolve Windows functions, evading static detection. Deploy Sysmon to monitor process creation and remote thread creation. Use the following Sysmon configuration to detect unauthorized process injection:

<Sysmon>
<EventFiltering>
<ProcessAccess onmatch="include">
<TargetImage condition="end with">lsass.exe</TargetImage>
<CallTrace condition="contains">C:\ProgramData</CallTrace>
</ProcessAccess>
</EventFiltering>
</Sysmon>

Step 2: Detect In-Memory Payload Decryption

The primary shellcode payload (user.dat) is AES-encrypted and decrypted in memory. To hunt for this behavior, monitor anomalies in API call patterns. Use PowerShell with Get-WinEvent to find suspicious remote thread creation:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=8} | Where-Object { $<em>.Message -match "CreateRemoteThread" -and $</em>.Message -match "GameBox.exe" }

Alternatively, use a YARA rule to scan running processes for ValleyRAT memory signatures:

rule ValleyRAT_memory_decrypt
{
meta:
description = "Detects ValleyRAT AES decryption routine in memory"
author = "Security Team"
strings:
$aes_key = { 2A 2A 2A 53 48 41 32 35 36 20 44 65 63 72 79 70 74 }
$shellcode_payload = { 60 8B 6C 24 24 31 DB 64 8B 5B 30 8B 5B 0C }
condition:
any of them
}

Run YARA against all running processes:

yara64.exe valleyrat_hunt.yar C:\ -p 0

Step 3: Hunt for Abuse of PowerShell Execution Policy Bypass
ValleyRAT bypasses PowerShell execution policies to run its malicious commands. Enable script block logging and monitor Event ID 4103. Search for commands containing “Add-MpPreference” combined with “bypass”:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4103} | Where-Object { $<em>.Message -match "Add-MpPreference" -and $</em>.Message -match "bypass" }

Step 4: Monitor for Sandbox Evasion Techniques

ValleyRAT checks for virtual machine environments by looking for VM services. It also uses sleep obfuscation to evade memory scanners, and applies XOR encoding to its shellcode. To hunt for these, monitor process execution for processes that call sleep APIs with large values. Use the following Sysmon query to find processes that call sleep with suspicious timings.

  1. Comprehensive Defenses: SIEM Rules, Endpoint Hardening, and Remediation

To robustly defend against ValleyRAT, organizations should implement a layered defense strategy that includes SIEM rules, endpoint hardening, and a clear remediation plan.

Implement these defensive measures:

Step 1: Deploy a SIEM Detection Rule

If you use Splunk, implement the following query to detect ValleyRAT C2 registry modifications:

index=windows sourcetype="XmlWinEventLog" EventCode=13 RegistryPath=\Console\IpDateInfo OR RegistryPath=\Console\SelfPath
| stats count by host, RegistryPath, RegistryValueData, Image, User
| table host, RegistryPath, RegistryValueData, Image

This query leverages Sysmon Event ID 13 (Registry modification) to spot the specific C2 keys created by ValleyRAT.

Step 2: Hardening Windows Against ValleyRAT

Prevent PowerShell abuse and protect Windows Defender:

  • Restrict PowerShell execution policies via Group Policy:
    Set-ExecutionPolicy Restricted -Scope LocalMachine
    
  • Disallow local exclusions for Windows Defender using Group Policy (Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions).
  • Enable Attack Surface Reduction (ASR) rules to block process injection, suspicious script executions, and lateral movement.
  • Set Sysmon to log image loads to detect sideloaded DLLs.

Step 3: Remediation Playbook for ValleyRAT

If an infection is discovered, follow this comprehensive remediation plan:

  • Isolate the host: Disconnect the infected machine from the network to prevent C2 communication and lateral movement.
  • Collect forensic data: Capture memory and disk images for further analysis.
  • Terminate malicious processes: Use Process Explorer or taskkill to end GameBox.exe and any _CCGDAT service instances.
  • Remove malicious files and registry entries:
    Remove-Item -Path "C:\ProgramData\client" -Recurse -Force
    Remove-Item -Path "C:\Users\Desktop\Teams.lnk" -Force
    Remove-ItemProperty -Path "HKCU:\SOFTWARE\" -Name "IpDates_info"
    Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services_CCGDAT" -Recurse -Force
    
  • Restore Windows Defender settings: Reset to default and rescan the system.
  • Reset compromised credentials and rotate passwords.

What Undercode Say:

  • ValleyRAT’s infection chain is a perfect example of “living off the land” techniques; attackers use legitimate tools like GameBox.exe to side-load malware, bypassing application whitelisting solutions.
  • The campaign’s use of both in-memory decryption and DLL sideloading highlights a growing trend: modern malware is moving away from traditional file-based payloads, requiring defenders to embrace behavioral analysis and advanced memory scanning.

Expected Output:

This investigation emphasizes that the ValleyRAT campaign is not just a simple RAT; it is a modular, multi-stage framework designed for long-term espionage. The effectiveness of this attack lies in its ability to mimic legitimate software behaviors. The discovery of Chinese-language artifacts and infrastructure patterns strongly indicates the involvement of the SilverFox APT group. Organizations must urgently move past legacy antivirus solutions and invest in advanced endpoint detection and response (EDR) platforms that excel at detecting in-memory threats and behavioral anomalies.

Prediction:

In the future, malware campaigns will increasingly focus on masquerading as legitimate software updates to bypass security measures. The ValleyRAT campaign is an important indicator of an upcoming surge in trust-baiting attacks, where attackers weaponize trusted brand names not just for initial access but also for leveraging legitimate executables to conduct entire post-exploitation chains. We predict that malicious actors will begin to automate the generation of hundreds of unique, lookalike domains for each major software brand, integrating AI-powered social engineering to make detection by human users nearly impossible. Threat intelligence sharing and user education will become the main lines of defense, as technical controls alone will be insufficient to keep pace with the creativity of these hybrid attacks.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Cybersecuritytimes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky