ValleyRAT_S2 Hijacks Firms to Steal Financial Data

A new malware campaign using a variant of the ValleyRAT family is raising alarms across cybersecurity circles as ValleyRAT_S2 hijacks firms through deceptive productivity tools and trojanized installers disguised as AI spreadsheet software. Delivered via spearphishing, modified software updaters, and DLL side-loading, ValleyRAT_S2 functions as a powerful C++-based remote access trojan.

Once installed, it provides attackers with system access for data theft, command execution, and keystroke logging. Analysts from APOPHiS identified ValleyRAT_S2 as the second-stage payload in these attacks, often hiding inside archives dropped in the Temp directory. Beyond credential theft and internal document exfiltration, the malware scans networks and connects to command servers using a custom TCP protocol.

Persistence comes from layered methods including COM task scheduling, registry keys, and a watchdog batch script that automatically reactivates the malware if interrupted. Effective removal requires eliminating all scripts, startup entries, and injected processes, as ValleyRAT_S2 hijacks firms with stealth and resilience.

ValleyRAT_S2 Attacking Organizations to Deploy Stealthy Malware and Extract Financial Details