highPhishing

MalwareBazaar Said Emotet. It Was a Chinese RAT Hiding Inside a Video Game.

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

phishingsocial-engineeringc2supply-chainapt

TL;DR: A 32MB Windows executable submitted to MalwareBazaar as "Arma SE7.exe" and tagged as Emotet/Heodo is not Emotet at all. It is a trojanized legitimate Arma 3 v2.20 server binary deployed by SilverFox, a Chinese-origin threat group, to deliver ValleyRAT (also known as Winos 4.0) -- a modular RAT framework with ties to Gh0stRAT and a documented history of targeting Chinese-speaking users. The binary retains full game server functionality while embedding anti-analysis TLS callbacks that inspect the PEB for debugger presence before the main entry point even executes. The sample successfully evaded 5 of 6 VirusTotal sandboxes and drew only a 20/76 detection rate. Meanwhile, 100+ related SilverFox samples are actively circulating on MalwareBazaar, backed by C2 infrastructure spanning Tencent Cloud, AWS Hong Kong, Vultr Singapore, and budget VPS providers. The Heodo tag on this sample is a false positive -- and a reminder that automated attribution is only as good as the heuristics behind it.

When the Label Does Not Match the Contents

This investigation began the way most of ours do: a fresh MalwareBazaar upload, a familiar tag, a quick glance. The sample was a 32MB executable called "Arma SE7.exe," and MalwareBazaar had tagged it Emotet/Heodo -- the banking trojan turned malware-distribution-as-a-service platform that has been the subject of multiple international law enforcement operations.

Emotet in a 32MB game server binary? That should have been the first red flag.

Emotet payloads are typically small -- DLLs in the hundreds of kilobytes, delivered via Office macros or ZIP attachments. They do not weigh 30 megabytes and they do not masquerade as Arma 3 dedicated server binaries. The Heodo signature in MalwareBazaar appears to have been triggered by generic behavioral heuristics -- likely the combination of anti-debugging techniques, process injection capabilities, and encrypted configuration data. These are behaviors shared by dozens of malware families, but the automated classification system matched them against Emotet's profile and called it a day.

The actual malware family is SilverFox/ValleyRAT/Winos 4.0 -- a Chinese-origin remote access trojan framework that has been active since at least late 2024 and targets Chinese-speaking users through trojanized software and social engineering. Not Emotet. Not even close.

This matters for two reasons. First, any organization that consumes MalwareBazaar intelligence feeds automatically would have ingested this IOC under the wrong family attribution, potentially triggering Emotet-specific playbooks and response procedures that are completely irrelevant to the actual threat. Second, the misattribution obscures the real campaign -- a Chinese threat group actively trojanizing legitimate game binaries, a technique that combines supply chain compromise with social engineering in a way that commodity banking trojans do not.

What Was Found vs. What Was Known

Aspect	MalwareBazaar Attribution	Breakglass Findings
Malware Family	Emotet / Heodo	SilverFox / ValleyRAT / Winos 4.0
Origin	Unknown	China (HIGH confidence)
Technique	Generic trojan	Trojanized legitimate Arma 3 v2.20 server binary
C2 Infrastructure	Not mapped	7+ IPs across 5 ASNs, 1 .cn domain
Campaign Scale	1 isolated sample	100+ related samples in MalwareBazaar
Anti-Analysis	Not documented	TLS callback PEB checks, sandbox evasion, timing attacks
Targeting	Unknown	Chinese-speaking users via trojanized software
Delivery Mechanism	Web download	Likely piracy/game cracking sites

The gap between the automated attribution and the reality is not subtle. This is a completely different threat actor, with a completely different motivation, operating in a completely different part of the world.

The Sample: A Real Game Server That Does More Than Serve Games

The binary is a genuine Arma 3 v2.20 dedicated server executable compiled on June 24, 2025. It contains Bohemia Interactive's internal build paths, their proprietary "Futura" engine references, their telemetry library. It is not a from-scratch build designed to look like Arma 3 -- it is Arma 3, with modifications.

Attribute	Value
SHA-256	`66406a9f58f42fb6f7d1e31e3aee159641ca5e257521dc325e49ccaec4aeba22`
MD5	`bc633b52efd493bf6be65099fcd89fbb`
SHA-1	`4e3e4f05c3c9ac911d948cd0f3e612d6497fe21e`
Imphash	`1f1cdd23e3f42cade6020fa0bc6d76b5`
File Size	32,033,792 bytes (30.5 MB)
File Type	PE32+ executable (GUI) x86-64, 7 sections
Compile Time	2025-06-24 11:12:40 UTC
PDB Path	`O:\Arma3\Arma3Retail_Server_x64.pdb`
Digitally Signed	No (legitimate Arma 3 binaries are signed by Bohemia Interactive)

The version information block reads like a legitimate product:

CompanyName: Bohemia Interactive
FileDescription: Arma 3
FileVersion: 2.20
ProductVersion: 2.20.0.152984
Copyright: 1996-2025 BOHEMIA INTERACTIVE a.s.

And the build environment artifacts confirm this was compiled from genuine Bohemia Interactive source code -- not reverse-engineered, not rebuilt, but the actual retail server binary:

H:\dev\Futura\extern\PhysX3\       -- BI internal game engine (codename "Futura")
H:\dev\StatisticsLibrary\StatsLib\  -- BI telemetry/stats library
O:\Arma3\Arma3Retail_Server_x64.pdb -- Release build PDB path

The question is not whether this was originally a legitimate binary -- it clearly was. The question is what was added to it, and how.

The Trojanization: What Changed

Four things distinguish this binary from the legitimate Arma 3 server executable it was built from.

1. The Missing Signature

Legitimate Arma 3 binaries are code-signed by Bohemia Interactive a.s. This sample is unsigned. The digital signature was stripped during post-compilation modification -- a necessary step because any modification to the binary would invalidate the original signature. This is the most basic indicator that something has been tampered with, and it is also the easiest to detect. Any environment that enforces code signing policies would reject this binary outright.

2. TLS Callbacks (Anti-Debug Before Main)

Two TLS (Thread Local Storage) callbacks execute before the main entry point -- before most debuggers even attach:

TLS Callback 0: RVA 0x1553B2C
TLS Callback 1: RVA 0x1553BA4

Both callbacks:
  mov rax, gs:[0x60]      ; Access PEB (Process Environment Block)
  movzx eax, [rax+0x02]   ; Read PEB.BeingDebugged
  test eax, eax            ; Check if debugger is attached
  jnz <evasion_routine>   ; If debugging detected, alter execution

TLS callbacks are a well-known anti-analysis technique, but they remain effective against casual analysis. An analyst who attaches a debugger and hits "Run" expecting to land at the entry point will instead trigger the evasion routine, which alters execution flow -- the malware goes dormant or crashes, producing no useful behavior. Both callbacks also access PEB offset 0x68 (NtGlobalFlag), which is set to specific values when a process is launched under a debugger. Belt and suspenders.

3. The Modified Export Table

The binary exports 43 functions, but only 6 are named -- the legitimate Arma 3 server exports. The remaining 37 exports are ordinal-only, with ordinals ranging from 11 to 4154. The gaps in the ordinal sequence and the absence of names indicate that these exports were added post-compilation. Ordinal-only exports are a common technique for hiding functionality from casual inspection, since most PE analysis tools display named exports prominently while ordinal exports require deliberate examination.

4. Encrypted Configuration in .data

Three 256-byte blocks in the .data section (offsets 0x4D00-0x4F00) have entropy exceeding 7.0 -- effectively random data in a section that should contain initialized variables and string literals. XOR brute-force and known-plaintext attacks did not yield readable content, suggesting AES or a custom encryption scheme. These blocks almost certainly contain C2 configuration, but without successfully executing the binary in a controlled environment, the encryption could not be broken during this investigation.

PE Section Layout

Section	Virtual Size	Raw Size	Entropy	Notes
.text	23,999,676	24,000,000	6.45	Main code -- includes injected trojan code
.rdata	5,334,108	5,334,528	5.74	Read-only data
.data	1,032,552	585,728	3.82	Contains 3 high-entropy encrypted config blocks
.pdata	1,155,888	1,156,096	6.85	Exception handling data
_RDATA	80,144	80,384	5.49	Runtime data
.rsrc	520,192	520,192	5.63	Resources (PNGs, icons)
.reloc	355,588	355,840	5.46	Relocations

The section entropy values are consistent with a legitimate compiled binary -- no packed or fully encrypted sections. The trojanization was surgical: specific code additions and export table modifications rather than wholesale packing or section injection. This makes the binary harder to detect via entropy-based scanning because it still looks like a normal compiled executable.

Attack Chain

                        SILVERFOX / VALLEYRAT KILL CHAIN
 ============================================================================

 [1] DELIVERY                [2] SOCIAL ENGINEERING       [3] EXECUTION
 Piracy/crack site     --->  "Arma SE7.exe"        --->  User launches trojanized
 or phishing page            (trojanized Arma 3           game server binary
                              v2.20 server, 30.5MB)             |
                                                                |
                                                                v
 [6] C2 COMMUNICATION        [5] PAYLOAD DEPLOYMENT      [4] ANTI-ANALYSIS GATE
 ValleyRAT beacon      <---  Winos 4.0 framework   <---  TLS callbacks check
 to Tencent Cloud /          loads RAT modules            PEB.BeingDebugged +
 AWS HK / Vultr SG           (process injection,          NtGlobalFlag, timing
 on ports 447/6666/          privilege escalation,        checks, user input
 8888/821/822                registry persistence)        verification
                                                                |
                                                          [If analysis detected]
                                                                |
                                                                v
                                                          Crash / dormancy
                                                          (WerFault.exe)
                                                          5/6 sandboxes evaded

The delivery vector is inferred rather than confirmed. The filename "Arma SE7.exe" and the nature of the trojanization point toward distribution through piracy or game cracking communities. Arma 3 dedicated server binaries are commonly sought by players who want to host private or modified game servers, and cracking sites are a natural watering hole for this demographic. Related SilverFox samples use social engineering filenames in Chinese -- "Q1 2026 Internal Violators List Bulletin," "2025 Q2 Staff Violations List" -- suggesting the group maintains multiple delivery vectors for different target populations.

Sandbox Evasion: 5 of 6 Defeated

The anti-analysis techniques are effective. Across six VirusTotal sandboxes, the sample produced almost no useful behavioral data:

Sandbox	Behavior Tags	C2 Communication	What Happened
C2AE	None	None	1 registry key set, nothing else
CAPE	DETECT_DEBUG_ENVIRONMENT, OBFUSCATED	None	Debug evasion detected, no execution
VT Jujubox	None	None	IsDebuggerPresent + GetTickCount -- timing check
VT Observer	None	None	3 files written, 1 registry key, no network
Yomi Hunter	None	None	Complete silence
Zenbox	CHECKS_USER_INPUT, DETECT_DEBUG_ENVIRONMENT, LONG_SLEEPS	DNS only (Microsoft CDN)	Crashed to WerFault.exe

No sandbox captured C2 communication. The combination of TLS callback anti-debugging, GetTickCount timing checks, user input verification, and long sleep delays creates a layered evasion strategy that defeated automated analysis across the board. Only CAPE and Zenbox even detected the anti-analysis behavior -- the other four sandboxes saw nothing at all.

The Zenbox result is particularly informative: after detecting the sandbox environment, the binary crashed itself to WerFault.exe -- Windows Error Reporting. To a monitoring system watching process trees, this looks like a legitimate application crash rather than deliberate evasion. ANY.RUN's public analysis of this sample similarly reported "No threats detected."

One mutex was observed across sandbox runs: Global\6c333df7-4b9a-480e-ac10-afb3bf603d27. This is likely used to prevent multiple instances of the trojan from running simultaneously on a compromised host.

Import Table: Game APIs Mixed with Weaponry

The import table is where the trojanization becomes most visible. Alongside hundreds of legitimate game engine imports (DirectX, Winsock, multimedia APIs), the binary imports a constellation of functions that have no business being in a game server:

DLL	Suspicious Imports
KERNEL32.dll	`VirtualAlloc`, `VirtualProtect`, `CreateProcessA/W`, `CreateToolhelp32Snapshot`, `Process32First/Next`, `WinExec`, `LoadLibraryA/W`, `GetProcAddress`, `IsDebuggerPresent`
ADVAPI32.dll	`AdjustTokenPrivileges`, `CryptEncrypt`, `RegSetValueExA`
SHELL32.dll	`ShellExecuteA`, `ShellExecuteW`

A game server has no reason to call AdjustTokenPrivileges (privilege escalation), CreateToolhelp32Snapshot with Process32First/Next (process enumeration), or CryptEncrypt (data encryption for exfiltration). The presence of WinExec alongside CreateProcessA/W suggests fallback execution paths -- if one process creation method is hooked or blocked, the malware has alternatives.

Infrastructure Analysis: Five ASNs, Two Continents, One Threat Actor

The C2 infrastructure mapped through ThreatFox correlation spans seven IPs across five autonomous systems and one domain, with a clear preference for Asian hosting providers:

C2 IP Infrastructure

IP	Port(s)	ASN	Provider	Country	Status	First Seen
43[.]133[.]39[.]217	80	AS132203	Tencent Cloud	SG	OFFLINE	2025-09-24
150[.]109[.]127[.]175	821, 822	AS132203	Tencent Cloud	HK	OFFLINE	2025-09-24
207[.]148[.]123[.]69	80, 6666, 8888	AS20473	Vultr	SG	OFFLINE	2026-03-10
154[.]211[.]5[.]176	6666, 8888	AS329611	Fastmos Co Ltd	HK	UNKNOWN	2026-03-10
108[.]187[.]7[.]20	996, 997	--	SpeedVM Network	US	UNKNOWN	2026-03-10
108[.]187[.]4[.]221	447	--	SpeedVM Network	US	UNKNOWN	2026-03-10
192[.]163[.]168[.]49	447	--	SpeedVM Network	US	UNKNOWN	2026-03-10

Domain Infrastructure

Domain	IP	Registrant	Registrar	Created	Purpose
cdklskjd[.]cn	43[.]199[.]110[.]109 (AWS HK)	Peng Benbo	Hangzhou Yunji Communications	2025-12-14	ValleyRAT C2

Hosting Hierarchy

SILVERFOX C2 INFRASTRUCTURE MAP
================================

Tier 0: Primary C2 (Asian Cloud Providers)
  |
  +-- AS132203 (Tencent Cloud / TENCENT-NET-AP-CN, Shenzhen CN)
  |     +-- 43.133.39.217:80        [Singapore, OFFLINE since Sep 2025]
  |     +-- 150.109.127.175:821,822 [Hong Kong, OFFLINE since Sep 2025]
  |
  +-- AWS ap-east-1 (Hong Kong)
  |     +-- 43.199.110.109          [cdklskjd.cn, ValleyRAT C2]
  |
  +-- AS20473 (Vultr / Constant Company, Singapore)
  |     +-- 207.148.123.69:80,6666,8888 [OFFLINE, reported Mar 2026]
  |
  +-- AS329611 (Fastmos Co Limited, Hong Kong)
        +-- 154.211.5.176:6666,8888 [Status unknown]

Tier 1: Budget VPS (US-based)
  |
  +-- SpeedVM Network Group LLC (Los Angeles, US)
        +-- 108.187.7.20:996,997   [Status unknown]
        +-- 108.187.4.221:447      [Status unknown]
        +-- 192.163.168.49:447     [Status unknown]

Port Fingerprint

ValleyRAT/Winos 4.0 infrastructure uses a consistent and recognizable port selection that can serve as a network-level detection signature:

Port	Protocol	Purpose
447	Modified HTTPS	Primary encrypted C2 (SpeedVM nodes)
6666	Raw TCP	C2 channel (Vultr, Fastmos nodes)
8888	Raw TCP	Secondary C2 channel
821/822	Custom protocol	Tencent Cloud C2 (older infrastructure)
80	HTTP	C2 fallback (Tencent, Vultr)
996/997	Custom protocol	SpeedVM C2 channel

The port pattern is consistent enough across infrastructure nodes that it constitutes a behavioral fingerprint. Any environment monitoring outbound connections to ports 6666, 8888, or 447 -- particularly to Asian cloud providers -- should investigate those connections as potential ValleyRAT beacons.

The SilverFox Campaign: Bigger Than One Sample

This is not an isolated trojanized binary. MalwareBazaar contains 100+ samples tagged as SilverFox, with active submissions as recently as March 10, 2026. The campaign uses multiple malware families under a single operational umbrella:

SHA256 (truncated)	Filename	Signature	First Seen
95e30af4...	PoisonX.exe	PrivateLoader	2026-03-10
cf4203625...	jinyou.exe	ValleyRAT	2026-03-10
525b4900f...	Glnstaller.exe	Gh0stRAT	2026-03-10
e9d138b69...	2026 Q1 Internal Violators List.exe	SliverFox	2026-03-10
3c78c8b86...	2025 Q2 Staff Violations List.exe	SilverFox	2026-03-10

The filenames tell a story. The Chinese-language social engineering documents -- "Q1 2026 Internal Violators List," "2025 Q2 Staff Violations List" -- suggest a parallel targeting track aimed at Chinese corporate environments, where a document purporting to list employees who violated company policy would be irresistible to open. Meanwhile, "PoisonX.exe" and "Glnstaller.exe" suggest distribution through gaming and software piracy channels, consistent with the Arma 3 trojanization vector.

The cross-tagging with Gh0stRAT is significant. Gh0stRAT is one of the oldest Chinese-origin RATs still in active use, and its codebase has been shared, forked, and evolved by multiple threat groups over the past decade. ValleyRAT/Winos 4.0 appears to be the next evolution in this lineage -- a modular framework that retains Gh0stRAT's operational concepts while updating the technical implementation.

Attribution: Five Lines to China

The attribution to a Chinese-origin threat group rests on five independent evidence chains:

1. C2 Infrastructure (Tencent Cloud) Two of the seven C2 IPs sit on AS132203, which is Tencent Cloud -- Tencent Building, Kejizhongyi Avenue, Hi-tech Park, Nanshan District, Shenzhen. This is not infrastructure you end up on accidentally. Tencent Cloud requires Chinese identity verification for account creation.

2. Domain Registration The domain cdklskjd[.]cn is registered to an individual named Peng Benbo, using the email address di823748@163[.]com. The .cn TLD requires Chinese identity documentation. The 163.com email domain belongs to NetEase, a Chinese internet services company -- it is the Chinese equivalent of using a Gmail address. The registrar, Hangzhou Yunji Communications, is a Chinese domain registrar.

3. Social Engineering Language Related samples use Chinese-language filenames targeting Chinese-speaking users. The social engineering themes (employee violation lists, internal bulletins) align with known Chinese corporate culture targeting techniques.

4. Malware Family Lineage ValleyRAT/Winos 4.0 is a documented Chinese-origin RAT framework. Its relationship to Gh0stRAT -- itself one of the most well-studied Chinese malware families in existence -- is well-established in threat intelligence literature.

5. Reporter Context The MalwareBazaar submission was made by a user named "CNGaoLing" -- the "CN" prefix is consistent with a Chinese researcher or analyst who discovered the sample in a Chinese-language context.

Attribution Confidence: HIGH

OPSEC Failures

For a group with medium-to-high technical sophistication, SilverFox makes some surprising operational security mistakes:

Exposed domain registrant: The cdklskjd[.]cn WHOIS record contains a real name and email address. Whether this is the operator's actual identity or a purchased/stolen identity, it provides a pivot point for further investigation.
Infrastructure provider concentration: The heavy reliance on Tencent Cloud creates a fingerprint. When you see ValleyRAT-like behavior beaconing to Tencent Cloud IPs on ports 6666/8888, you can attribute with reasonable confidence before even completing full analysis.
Consistent port usage: The 6666/8888/447 port pattern is recognizable across infrastructure nodes and campaign periods. This should be rotated between operations but has remained stable.
Unsigned binaries: Stripping the digital signature from a legitimately signed binary is a detectable modification. A more sophisticated approach would involve re-signing with a stolen or fraudulently obtained code signing certificate.

Campaign Timeline

Date	Event
2025-06-24	Arma 3 v2.20 server binary compiled by Bohemia Interactive (legitimate)
2025-09-24	First SilverFox C2 IOCs reported to ThreatFox (Tencent Cloud IPs)
2025-12-14	`cdklskjd[.]cn` domain registered via Hangzhou Yunji Communications
2026-03-08	Trojanized "Arma SE7.exe" submitted to MalwareBazaar, tagged as Emotet
2026-03-10	10+ fresh SilverFox samples submitted to MalwareBazaar, new C2 IOCs reported
2026-03-10	Breakglass Intelligence investigation confirms misattribution

The nine-month gap between the binary's compile date (June 2025) and its submission to MalwareBazaar (March 2026) raises questions. Was the binary trojanized shortly after compilation and circulated privately for months before detection? Or was it trojanized more recently from an older build? The compile timestamp belongs to the legitimate Arma 3 binary, not the modification, so the actual trojanization date remains unknown.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Supply Chain Compromise: Software	T1195.002	Trojanized Arma 3 v2.20 server binary
Execution	User Execution: Malicious File	T1204.002	Victim launches game server expecting normal functionality
Defense Evasion	Masquerading: Match Legitimate Name/Location	T1036.005	Valid Bohemia Interactive version info, Arma 3 PDB path
Defense Evasion	Debugger Evasion	T1622	TLS callback PEB.BeingDebugged + NtGlobalFlag checks
Defense Evasion	Virtualization/Sandbox Evasion: System Checks	T1497.001	GetTickCount timing, user input verification, long sleeps
Defense Evasion	Obfuscated Files or Information	T1027	AES/custom-encrypted .data section config blocks
Persistence	Boot or Logon Autostart: Registry Run Keys	T1547.001	RegSetValueExA import capability
Discovery	Process Discovery	T1057	CreateToolhelp32Snapshot + Process32First/Next
Privilege Escalation	Access Token Manipulation: Token Impersonation	T1134.001	AdjustTokenPrivileges import
Command and Control	Non-Standard Port	T1571	Ports 447, 6666, 8888, 821, 822, 996, 997

Detection

VirusTotal Coverage (20/76)

As of investigation time, only 20 of 76 AV engines detected this sample -- a 26% detection rate for a binary that is actively being distributed as part of a campaign with 100+ related samples.

Vendor	Detection Name
Kaspersky	Trojan.Win64.Agent.smfrau
ReversingLabs	Win64.Trojan.Malgent
Microsoft	Trojan:Win32/Malgent!MSR
YOROI	Malicious File (1.00)

Notable absences: CrowdStrike Falcon, SentinelOne, and Palo Alto did not flag this sample. The generic detection names ("Agent," "Malgent," "Malicious File") confirm that no vendor has correctly attributed this to SilverFox/ValleyRAT -- they are detecting it on behavioral heuristics alone, without family identification.

YARA Detection

The following YARA signatures provide detection coverage for this sample and related SilverFox/ValleyRAT binaries:

rule SilverFox_TrojanizedArma3 {
    meta:
        description = "Detects trojanized Arma 3 binaries used by SilverFox group"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        reference = "emotet-march10 investigation"
        tlp = "WHITE"
        hash = "66406a9f58f42fb6f7d1e31e3aee159641ca5e257521dc325e49ccaec4aeba22"

    strings:
        $pdb = "Arma3Retail_Server_x64.pdb" ascii
        $company = "Bohemia Interactive" wide
        $futura = "\\dev\\Futura\\extern\\PhysX3\\" ascii
        $mutex = "6c333df7-4b9a-480e-ac10-afb3bf603d27" ascii wide

        // TLS callback PEB check pattern
        $tls_peb = { 65 48 8B 04 25 60 00 00 00 0F B6 40 02 }

        // Unsigned binary indicator (no Authenticode signature)
        $no_sig = { 00 00 00 00 00 00 00 00 } at (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address)

    condition:
        uint16(0) == 0x5A4D and
        filesize > 30MB and
        $pdb and
        $company and
        ($mutex or $tls_peb or $futura) and
        pe.number_of_exports > 30 and
        pe.number_of_signatures == 0
}

rule ValleyRAT_PortPattern_C2 {
    meta:
        description = "Detects ValleyRAT/Winos 4.0 C2 port patterns in PE strings"
        author = "Breakglass Intelligence"
        date = "2026-03-10"

    strings:
        $port_6666 = ":6666" ascii wide
        $port_8888 = ":8888" ascii wide
        $port_447 = ":447" ascii wide
        $cn_domain = ".cn" ascii wide
        $tencent_range = "43.133." ascii
        $tencent_range2 = "150.109." ascii

    condition:
        uint16(0) == 0x5A4D and
        2 of ($port_*) and
        ($cn_domain or $tencent_range or $tencent_range2)
}

Suricata Rules

# SilverFox/ValleyRAT C2 Communication Detection

# Detect connections to known ValleyRAT non-standard ports
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666 (
    msg:"ET MALWARE Possible ValleyRAT/SilverFox C2 Beacon (Port 6666)";
    flow:established,to_server;
    threshold:type both, track by_src, count 3, seconds 300;
    classtype:trojan-activity;
    sid:2026031001; rev:1;
    metadata:created_at 2026_03_10, updated_at 2026_03_10;
)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (
    msg:"ET MALWARE Possible ValleyRAT/SilverFox C2 Beacon (Port 8888)";
    flow:established,to_server;
    threshold:type both, track by_src, count 3, seconds 300;
    classtype:trojan-activity;
    sid:2026031002; rev:1;
    metadata:created_at 2026_03_10, updated_at 2026_03_10;
)

alert tcp $HOME_NET any -> $EXTERNAL_NET 447 (
    msg:"ET MALWARE Possible ValleyRAT/SilverFox Modified HTTPS C2 (Port 447)";
    flow:established,to_server;
    classtype:trojan-activity;
    sid:2026031003; rev:1;
    metadata:created_at 2026_03_10, updated_at 2026_03_10;
)

# Detect DNS query for known SilverFox C2 domain
alert dns $HOME_NET any -> any any (
    msg:"ET MALWARE SilverFox/ValleyRAT C2 Domain (cdklskjd.cn)";
    dns.query; content:"cdklskjd"; content:".cn"; distance:0;
    classtype:trojan-activity;
    sid:2026031004; rev:1;
    metadata:created_at 2026_03_10, updated_at 2026_03_10;
)

# Detect connections to known SilverFox Tencent Cloud C2 IPs
alert ip $HOME_NET any -> [43.133.39.217,150.109.127.175] any (
    msg:"ET MALWARE SilverFox/ValleyRAT Known Tencent Cloud C2";
    classtype:trojan-activity;
    sid:2026031005; rev:1;
    metadata:created_at 2026_03_10, updated_at 2026_03_10;
)

Behavioral Detection Opportunities

Beyond signature-based detection, defenders should monitor for the following behavioral patterns:

Unsigned Arma 3 executables: Any arma3server_x64.exe or similarly named binary without a valid Bohemia Interactive code signature should be investigated immediately.
Process ancestry anomalies: A game server binary spawning cmd.exe, powershell.exe, or making outbound connections to Chinese cloud providers is not normal game server behavior.
Mutex creation: Global\6c333df7-4b9a-480e-ac10-afb3bf603d27 -- this exact GUID can be used as a host-based IOC for hunting.
Network connections on port 6666/8888/447: Outbound TCP connections to these ports, particularly to Asian IP ranges (Tencent Cloud AS132203, AWS ap-east-1), should trigger investigation.

Indicators of Compromise

File Indicators

# Trojanized Arma 3 Server Binary (SilverFox/ValleyRAT)
SHA256: 66406a9f58f42fb6f7d1e31e3aee159641ca5e257521dc325e49ccaec4aeba22
SHA1:   4e3e4f05c3c9ac911d948cd0f3e612d6497fe21e
MD5:    bc633b52efd493bf6be65099fcd89fbb

# PE Metadata
Imphash:      1f1cdd23e3f42cade6020fa0bc6d76b5
Rich PE Hash: 9289e886a688cd18c5d917d4ddcaecb3
SSDeep:       393216:7tKMmQIrNrO5h/E0omQBFviP92cveWRe7CXLvhHJxZpZ2Sh7/Blqi8bo2X:PArFB4C
TLSH:         T110676C0272B011D4D169D5398B0BD957EB713AAA0F71D7CB12A0D65AAFB79F01CFE220

Network Indicators

# C2 IPs (defanged)
43[.]133[.]39[.]217:80             (Tencent Cloud, Singapore)
150[.]109[.]127[.]175:821,822      (Tencent Cloud, Hong Kong)
207[.]148[.]123[.]69:80,6666,8888  (Vultr, Singapore)
154[.]211[.]5[.]176:6666,8888      (Fastmos, Hong Kong)
108[.]187[.]7[.]20:996,997         (SpeedVM, US)
108[.]187[.]4[.]221:447            (SpeedVM, US)
192[.]163[.]168[.]49:447           (SpeedVM, US)
43[.]199[.]110[.]109               (AWS Hong Kong -- cdklskjd[.]cn)

# C2 Domains (defanged)
cdklskjd[.]cn

Behavioral Indicators

# Mutex
Global\6c333df7-4b9a-480e-ac10-afb3bf603d27

# PDB Path (embedded in binary)
O:\Arma3\Arma3Retail_Server_x64.pdb

# Export Name
Arma3Retail_Server_x64.exe

Registration Data

# Domain registrant (cdklskjd[.]cn)
Registrant:  Peng Benbo
Email:       di823748@163[.]com
Registrar:   Hangzhou Yunji Communications
NS:          ns1.22.cn
Created:     2025-12-14

Recommended Actions

Immediate (24-48 hours)

Block all listed C2 IPs at the network perimeter, proxy, and DNS sinkhole
Deploy the YARA rules above to endpoint detection platforms
Deploy the Suricata rules to network IDS/IPS
Search historical logs for the SHA256, MD5, and imphash values
Hunt for the mutex Global\6c333df7-4b9a-480e-ac10-afb3bf603d27 across endpoints
Search for any unsigned Arma 3 executables in the environment

Short-term (1-2 weeks)

Monitor cdklskjd[.]cn for infrastructure changes (new IPs, subdomains)
Search netflow data for outbound connections to ports 447, 6666, and 8888
Submit indicators to organizational threat sharing platforms (MISP, STIX/TAXII feeds, relevant ISACs)
Review game server hosting environments for unsigned or modified binaries

Medium-term (1-3 months)

Monitor MalwareBazaar's SilverFox tag for new submissions
Track the registrant email di823748@163[.]com for additional domain registrations
Monitor Tencent Cloud IP ranges (AS132203) for new C2 infrastructure
Audit software distribution channels for trojanized legitimate binaries
Consider code signing enforcement policies for server environments

The Misattribution Problem

This investigation highlights a systemic issue in automated threat intelligence. MalwareBazaar is an invaluable resource -- one of the most important public malware repositories in existence. But its tagging relies on a combination of automated signature matching, YARA rule hits, and community submissions. When those heuristics produce a false positive, the wrong label propagates through every downstream feed, SIEM integration, and threat report that consumes the data.

An organization that ingested this sample's IOCs as Emotet indicators would have:

Applied Emotet-specific detection rules (designed for small DLLs delivered via Office macros, not 30MB trojanized game binaries)
Searched for Emotet-associated infrastructure (European bulletproof hosting, not Tencent Cloud)
Missed the actual C2 infrastructure entirely (ValleyRAT's port 6666/8888/447 pattern is not in any Emotet playbook)
Failed to look for related SilverFox samples (100+ additional IOCs sitting in the same repository, tagged correctly)

The corrective action is straightforward: verify automated attributions against the actual sample characteristics before propagating them into detection infrastructure. A 30-second check -- file size, compile target, version information, import table -- would have flagged this as inconsistent with Emotet. Automation is a force multiplier, but it is not a substitute for analysis.

References

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 1 misattributed sample corrected. 7 C2 IPs mapped. 100+ related samples identified. 5 of 6 sandboxes evaded. Classification: TLP:CLEAR