Security experts at Proofpoint have issued a warning about the emergence of a new and highly concerning malware strain named ValleyRAT. This malware is actively being deployed in campaigns targeting large organizations worldwide, with a notable focus on Chinese businesses on the mainland.
According to a report published by Proofpoint, these attacks are part of a larger trend where various Chinese malware campaigns predominantly use invoice-themed tactics related to Chinese businesses. Multiple campaigns distributing ValleyRAT and other malware strains have been observed.
ValleyRAT first came to the attention of researchers in March 2023. While it’s a significant concern, it is not the only malware variant being employed. Researchers also identified Sainbox, a variant of the infamous Gh0stRAT, and Purple Fox. The Purple Fox campaign primarily targeted Japanese organizations, using Japanese-language invoice themes in some instances.
Proofpoint has documented more than two dozen campaigns employing these malware strains. In these campaigns, threat actors impersonate major corporations, reaching out to employees via email, attempting to trick them into downloading and running these Remote Access Trojans (RATs).
The true identities and motives of the attackers remain unclear. Researchers suggest that multiple threat actor groups may be involved, potentially sharing resources, as there is some overlap in activity clusters. The motivations driving these attacks are yet to be determined.