high🐀RAT

publishedMarch 12, 2026

ValleyRAT "Codemark" Campaign: XOR 0x44 Shellcode Loader, a C2 Operator Named TEDDY2012, and 22 Live Servers Across the March 2026 Chinese-Nexus Offensive

Threat Actors:ProfileAssessmentTimeline

#loader#cobalt-strike#phishing#c2#exploit#apt

TL;DR: A freshly compiled ValleyRAT Stage 2 shellcode loader (490a5bf534bc...) appeared on MalwareBazaar less than 24 hours after compilation, sporting single-byte XOR 0x44 encryption over its config and embedded PIC shellcode, three C2 channels on a single Vultr Singapore VPS (207.148.123[.]69), and a campaign marker string -- "codemark" -- that ties this sample to a broader March 2026 wave. The operator left RDP wide open on the C2 server, leaking a self-signed certificate with the hostname TEDDY2012 and confirming Windows Server 2012 R2 -- end-of-life since October 2023. Infrastructure pivoting through ThreatFox mapped 22 unique C2 IPs and 5 domains across Alibaba Cloud, Tencent Cloud, Vultr, and SpeedVM, all registered through the same Singapore-based registrar (Gname.com) using the same shared DNS infrastructure. The config block contains Chinese-language capability flags and the keylogger and screenshot modules are both enabled. This is Silver Fox at scale, and they are not slowing down.

The Sample: 20 Hours From Compiler to MalwareBazaar

On March 10, 2026 at 09:40 UTC, a 87.5 KB PE32 binary landed on MalwareBazaar. Its compilation timestamp read March 9, 2026 at 13:21:25 UTC -- less than twenty hours earlier. The original filename embedded in the PE resources was Shellcod.exe, which is the kind of naming convention that tells you the author does not expect this binary to survive on disk long enough for anyone to notice. They are right about the intent, wrong about the analysis.

The sample is a Windows GUI executable targeting 32-bit Intel systems. It weighs in at exactly 89,600 bytes -- lean for a Stage 2 loader, but it packs everything it needs into five PE sections and a XOR-encrypted config block that decodes at runtime to reveal the full C2 layout, capability flags, and campaign identifier.

Attribute	Value
SHA256	`490a5bf534bc615c35443551adf8e23208a2b89b694cbeaa678f5206117b053c`
MD5	`31ab710b59f896d44fd2ed8ce7faaf3c`
SHA1	`7914a2de3e4ce421dca51154d5cad9c4221b21f7`
Imphash	`bf5235ce41f501cf894253dbc248cbbf`
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	89,600 bytes
Compiled	2026-03-09 13:21:25 UTC
Original Filename	Shellcod.exe
Copyright	Copyright (C) 2026

What immediately stands out in static analysis is what is missing. Every standard Windows security mitigation has been deliberately stripped:

ASLR: Disabled (no DYNAMIC_BASE flag)
DEP/NX: Disabled (no NX_COMPAT flag)
SEH: Disabled (no NO_SEH flag)
PE Checksum: 0x0 (not computed)

The only flag present is TERMINAL_SERVER_AWARE. The developer wanted the absolute minimum overhead between execution and shellcode deployment. Stripping ASLR and DEP is a double-edged decision: it makes the payload more reliable on older, unpatched Windows systems (which is likely the target environment), but it also makes the binary trivially analyzable in a debugger. You cannot randomize what was never randomized.

There is also a TODO: < string in the PE resources -- a developer note that was never cleaned up before the build went out the door. This is not the work of a meticulous operator.

Peeling the XOR: How 0x44 Unlocks the Payload

The .data section is where everything interesting lives. A frequency analysis of the raw bytes reveals that 0x44 appears 405 times -- more than any other byte value. In a section that should contain mostly null-padded structures, the most frequent byte maps directly to the XOR key: 0x44 XOR 0x00 = 0x44. This is single-byte XOR encryption at its most transparent. No key schedule, no rotation, no LFSR -- just one byte applied uniformly across the config block and the embedded shellcode.

Decrypting with 0x44 produces three critical artifacts:

1. Position-Independent Shellcode (2,036 bytes) at .data+0x08F0

The shellcode opens with a textbook PEB-walking prologue:

push ebp
mov ebp, esp
and esp, 0xFFFFFFF8    ; align stack
sub esp, 0x214          ; allocate local frame
mov eax, fs:[0x30]      ; PEB access via TEB

From there, it walks the Process Environment Block to locate loaded modules, then resolves APIs by pushing pre-computed hashes and calling a custom resolver function. The hash values map to the usual suspects:

API Hash	Likely Resolution
`0x1AB9B854`	NtAllocateVirtualMemory
`0x7F201F78`	NtProtectVirtualMemory
`0x5E893462`	LoadLibraryA
`0x06488073`	GetProcAddress variant

The libraries it dynamically loads -- ntdll, Ws2_32.dll, kernel32, advapi32, user32 -- cover the full spectrum: native API access, network sockets, process management, privilege escalation, and window manipulation. The presence of Ws2_32.dll confirms network communication is handled at the Winsock level rather than through higher-level HTTP libraries, which is consistent with ValleyRAT's raw TCP C2 protocol.

At decoded offset 0x0A00-0x0A40, the shellcode performs a byte-by-byte string comparison against "codemar" (the first 7 characters of "codemark"). This is a build validation check -- the shellcode confirms it is running inside the correct loader by verifying the campaign marker before establishing the C2 connection. If the marker is wrong, the shellcode never phones home.

2. C2 Configuration Block at .data+0x10E4

The decoded config block contains pipe-delimited UTF-16LE capability flags, the C2 IP address, port assignments, and a profile name in Simplified Chinese:

{
  "campaign_marker": "codemark",
  "xor_key": "0x44",
  "c2_primary": "207.148.123.69:6666",
  "c2_secondary": "207.148.123.69:8888",
  "c2_http": "207.148.123.69:80",
  "capabilities": {
    "db (data exfil)": "DISABLED",
    "lk (keylogger)": "ENABLED",
    "hs (host survey)": "ENABLED",
    "ld (loader)": "DISABLED",
    "ll (lateral movement)": "DISABLED",
    "hb (heartbeat)": "DISABLED",
    "pj (process injection)": "DISABLED"
  },
  "profile_name": "default (Chinese)",
  "version": "1.0"
}

Two capability flags are enabled: lk (keylogger, implemented via SetWindowsHookEx) and hs (host survey/screenshot). The remaining five -- data exfiltration, loader, lateral movement, heartbeat, and process injection -- are disabled in this build. This is a reconnaissance-focused configuration: capture keystrokes, take screenshots, survey the host, and report back. The full offensive toolkit is available but not yet armed, which suggests this is an initial access or staging payload rather than a final-stage implant.

The profile name decodes to Chinese characters meaning "default" (morenr/moren reversed in UTF-16LE encoding), confirming the builder interface uses Simplified Chinese.

3. The "codemark" Campaign Identifier

The string "codemark" appears both in plaintext and in its XOR-encoded form (0x27 0x2B 0x20 0x25 0x29 0x23 0x36 0x2F). This is the campaign tag -- a builder-assigned identifier that likely maps to a specific operator, target set, or operational phase. Tracking this marker across future MalwareBazaar and ThreatFox submissions will reveal whether the same operator continues deploying under this tag or rotates to a new one.

The UAC Bypass: ICMLuaUtil and CMSTP COM Elevation

YARA signatures from multiple vendors flagged two UAC bypass techniques embedded in the binary:

ICMLuaUtil COM interface (matched by Marius Genheimer's ICMLuaUtil_UACMe_M41 rule) -- a well-known elevation method that abuses the auto-elevation property of the ICMLuaUtil COM object to launch a high-integrity process without triggering a UAC prompt.
CMSTP COM interface (matched by ditekSHen's INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM rule) -- uses the Connection Manager Service Profile Installer to side-load a malicious INF file with elevated privileges.

Both techniques are documented in the UACMe project and have been used across Chinese-nexus malware families for years. Their presence here is not novel, but it confirms that the ValleyRAT builders maintain a current library of privilege escalation methods.

The Attack Chain

The full execution flow from delivery to collection looks like this:

[Delivery (unknown vector)]
        |
        v
[Shellcod.exe - Stage 2 Loader]
        |
        v
[XOR 0x44 Decryption of .data section]
        |
        v
[PIC Shellcode (2,036 bytes)]
   |-- PEB walk to locate modules
   |-- API resolution by hash (ntdll, Ws2_32, kernel32, advapi32, user32)
   |-- "codemar" validation check
   |-- UAC bypass (ICMLuaUtil / CMSTP COM)
        |
        v
[C2 Beacon to 207.148.123[.]69]
   |-- Port 6666 (primary, raw TCP)
   |-- Port 8888 (secondary, raw TCP)
   |-- Port 80 (HTTP fallback)
        |
        v
[Active Modules]
   |-- Keylogger (SetWindowsHookEx)
   |-- Host Survey / Screenshot Capture
   |-- System Enumeration (drives, processes)

The delivery mechanism is not present in this sample -- this is a Stage 2 loader, which means it was dropped or downloaded by a prior-stage component. Based on prior ValleyRAT campaign reporting, the initial vector is typically a trojanized software installer, phishing document, or drive-by download targeting Chinese-speaking victims.

TEDDY2012: The OPSEC Failure That Maps an Operator

Here is where this investigation goes from routine sample analysis to something more interesting.

A TCP probe against the C2 IP confirmed port 6666 was open and accepting connections at the time of analysis -- the server was live and operational. But port 6666 was not the only service exposed. Port 3389 was also open, running Microsoft Remote Desktop Protocol with a self-signed TLS certificate.

The certificate's Common Name: TEDDY2012.

The NTLM authentication response confirmed the target name matched: this is the actual hostname of the operator's Windows Server 2012 R2 machine. The product version string (6.3.9600) confirms the exact build. The certificate was issued on March 8, 2026 at 00:59:08 UTC -- two days before the sample appeared on MalwareBazaar, and one day before it was compiled. The timeline is clear:

Date	Event
2026-03-08 00:59 UTC	TEDDY2012 RDP certificate issued (VPS provisioned)
2026-03-09 13:21 UTC	Shellcod.exe compiled
2026-03-10 09:40 UTC	Sample uploaded to MalwareBazaar

The operator stood up a fresh Vultr VPS in Singapore, configured their C2 listener on ports 6666/8888/80, and left RDP exposed to the internet on the default port. The hostname "TEDDY2012" leaked through both the certificate Subject CN and the NTLM Target Name -- two independent channels confirming the same operator identifier. Whether "TEDDY2012" is a personal handle, a machine naming convention, or an artifact of a shared builder image, it is now a trackable pivot point.

Running Windows Server 2012 R2 on an internet-facing C2 server in 2026 is a choice. Microsoft ended extended support for this OS in October 2023. It is vulnerable to a substantial catalog of unpatched exploits. For a threat actor whose entire operation depends on maintaining persistent infrastructure, using an EOL operating system on the same box that runs their C2 listener is a significant operational risk -- and a significant opportunity for defenders or law enforcement.

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
C2 for this sample	207.148.123.69:6666 (abuse.ch)	Confirmed live + ports 8888, 80. RDP exposed with TEDDY2012 hostname
Encryption	Not documented for this sample	XOR 0x44 single-byte key on .data section, frequency analysis confirms
Campaign ID	Not documented	"codemark" campaign marker with shellcode validation check
Chinese artifacts	ValleyRAT attributed to Silver Fox	Chinese characters for "default" in UTF-16LE config flags
Infrastructure scale	3 IOCs for this IP	22 C2 IPs + 5 domains mapped across March 2026 campaign wave
OPSEC failures	None documented	TEDDY2012 hostname, RDP exposed, Win Server 2012 R2, "TODO" in resources
Active modules	Unknown	Keylogger (lk) + Host Survey (hs) enabled; 5 other modules disabled
Hosting patterns	Unknown	Gname.com registrar, Alibaba/Tencent/Vultr/SpeedVM hosting, shared DNS

The Broader Campaign: 22 C2 Servers in 5 Days

Pivoting from the initial sample's C2 IP through ThreatFox's ValleyRAT tag reveals the scale of the March 2026 offensive. Between March 6 and March 10, 22 unique C2 IPs were reported, hosted across seven different providers and spanning three continents. This is not a single operator with a single server -- it is a campaign with deliberate infrastructure diversity.

IP	Provider	Ports	First Seen	Notes
207.148.123[.]69	Vultr (SG)	6666, 8888, 80	2026-03-10	This sample. RDP exposed (TEDDY2012).
154.211.5[.]176	Fastmos/CloudInnovation (HK)	6666, 8888	2026-03-10	AS329611
108.187.7[.]20	SpeedVM (US)	996, 997	2026-03-10	Non-standard ports
206.238.115[.]154	Unknown	6666	2026-03-10	Standard ValleyRAT port
119.28.70[.]225	Tencent Cloud (HK)	80, 983, 5860	2026-03-09	Windows (RDP/SMB visible)
161.248.87[.]157	APNIC	4499	2026-03-09	Hosts wang1wangxiao[.]com
161.248.87[.]175	APNIC	7777	2026-03-09	Adjacent IP to .157
8.219.93[.]253	Alibaba Cloud	5201	2026-03-09	Cloud instance
38.76.193[.]60	Cogent (US)	80, 5554	2026-03-09	RDP exposed, EOL OS
8.217.149[.]107	Alibaba Cloud	8888	2026-03-09	Windows (SMB visible)
108.187.4[.]192	SpeedVM (US)	448	2026-03-09	Non-standard port
154.86.19[.]38	Unknown	9001	2026-03-09	Tor-like port
47.86.111[.]52	Alibaba Cloud	9090	2026-03-08	Hosts msthiyun + wentianskw168 domains
43.98.243[.]193	Unknown	8888	2026-03-08	Standard port
108.187.7[.]232	SpeedVM (US)	6666, 8888	2026-03-07	Standard ports
20.255.52[.]78	Microsoft Azure	80, 443	2026-03-07	HTTPS C2 -- legitimate cloud for evasion
198.44.251[.]110	Unknown	80, 6666, 8888	2026-03-07	Full port set
47.236.232[.]206	Alibaba Cloud	6003	2026-03-07	Non-standard port
192.163.168[.]59	Unknown	447	2026-03-06	Non-standard port
108.187.40[.]191	SpeedVM (US)	447	2026-03-06	Matches .59 port pattern
103.215.77[.]16	Unknown	4499	2026-03-06	Matches .157 port pattern
137.220.154[.]94	Unknown	54411	2026-03-06	High port

The hosting distribution tells a story about operational strategy:

Alibaba Cloud: 4 IPs -- the default choice for Chinese operators, easy provisioning with local payment methods
SpeedVM Network Group: 3 IPs -- a US-based budget VPS provider that does not ask many questions
Vultr: 1 IP (this sample) -- Singapore region, cryptocurrency payment accepted
Tencent Cloud: 1 IP -- another Chinese cloud platform
Fastmos/CloudInnovation: 1 IP -- Hong Kong, close to mainland
Microsoft Azure: 1 IP -- the most interesting choice, using a legitimate enterprise cloud provider to blend in with normal traffic
Cogent Communications: 1 IP -- US backbone infrastructure

The Azure node at 20.255.52[.]78 deserves special attention. Running a C2 server on Microsoft's cloud infrastructure means that outbound connections from a compromised host will resolve to Microsoft-owned IP space -- exactly the kind of traffic that corporate firewalls and threat feeds are least likely to block. This is the one node in the cluster that suggests operational sophistication rather than convenience.

Two additional C2 servers (38.76.193[.]60 and 119.28.70[.]225) also expose RDP to the internet, matching the TEDDY2012 pattern. Whether they share the same hostname or operator remains to be confirmed, but the behavior pattern -- standing up a Windows VPS, running the C2 listener, and leaving RDP open for remote management -- appears to be standard operating procedure for this campaign.

Domain Infrastructure and the Gname.com Pattern

Five domains are associated with the campaign, and four of them share the same registrar:

Domain	Registrar	Created	Resolves To	Purpose
msthiyun[.]com	Gname.com	2025-09-15	47.86.111[.]52	C2 domain
wentianskw168[.]com	Gname.com	2026-01-08	47.86.111[.]52	C2 domain
dajinylf1[.]top	Gname.com	2026-02-26	--	C2 domain
dajinylf3[.]top	Gname.com	2026-02-26	--	C2 domain
2akks6668[.]com	Cloudflare	2026-03-05	--	C2 domain

Gname.com is a Singapore-based domain registrar that is overwhelmingly popular with Chinese registrants. All four Gname domains use share-dns.net and share-dns.com nameservers -- Gname's shared DNS infrastructure. This is a registrar-level fingerprint: if you see a suspicious domain on Gname shared DNS that was registered in the last 90 days, you should be looking at it harder.

The sixth domain, wang1wangxiao[.]com, was registered through Key-Systems (a European registrar) on June 22, 2025, making it the oldest infrastructure in this cluster. It resolves to 161.248.87[.]157 and uses the same Gname shared DNS, suggesting a registrar migration or a secondary registration channel.

The domain naming patterns are instructive:

msthiyun -- a phonetic approximation that evokes "Microsoft Yun" (cloud), possibly intended to look legitimate in Chinese-language contexts
wentianskw168 -- Chinese transliteration; "168" is an auspicious number in Chinese culture (sounds like "prosper forever")
dajinylf -- Chinese phonetic; "dajin" means "gold" or "great advance"
2akks6668 -- the "6668" follows the same auspicious numbering pattern

These are not randomly generated domain names. They are culturally meaningful strings chosen by a Chinese-speaking operator.

Certificate Analysis

The certificate issuance pattern across the infrastructure is notable for its dual-issuer approach:

Domain/Host	Issuer	Issued	Notes
TEDDY2012 (RDP)	Self-signed	2026-03-08	Operator machine identity
dajinylf1[.]top	Let's Encrypt E8	2026-03-04	Automated cert
dajinylf1[.]top	Sectigo	2026-03-04	Dual-issued cert (same day)
2akks6668[.]com	Let's Encrypt E8	2026-03-05	Automated cert
2akks6668[.]com	Sectigo	2026-03-05	Dual-issued cert (same day)
wang1wangxiao[.]com	Let's Encrypt R12	2026-02-05	Longer-standing infrastructure

Two domains -- dajinylf1[.]top and 2akks6668[.]com -- each received both a Let's Encrypt and a Sectigo certificate on the same day. This dual-issuance pattern is unusual for legitimate domains and suggests either automated tooling that requests from multiple CAs for redundancy, or a hosting panel (like CyberPanel or aaPanel, both popular with Chinese operators) that issues certificates through multiple providers by default.

YARA Matches and Family Lineage

MalwareBazaar's YARA engine returned 13 rule matches that tell the story of ValleyRAT's family tree and technical capabilities:

Rule	Author	What It Confirms
WinosStager	YungBinary	Winos4.0 framework lineage
win_winos_auto	Felix Bilstein	Automated Winos detection
Windows_Trojan_Winos_464b8a2e	Elastic Security	Elastic's Winos signature
GenericGh0st	Still	Gh0st RAT code heritage
Gh0stKCP	Netresec	KCP (ARQ) reliable UDP protocol
malware_shellcode_hash	JPCERT/CC	API hashing technique
meth_peb_parsing	Willi Ballenthin	PEB walking technique
ICMLuaUtil_UACMe_M41	Marius Genheimer	UAC bypass via COM
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	ditekSHen	CMSTP UAC bypass
DebuggerCheck__API	naxonez	Anti-debugging (IsDebuggerPresent)
cobalt_strike_tmp01925d3f	The DFIR Report	Shellcode pattern overlap
MD5_Constants	phoul	MD5 hashing in binary

The lineage matters. ValleyRAT is not a from-scratch RAT -- it is the latest evolution of a Chinese malware development lineage that runs through Gh0st RAT (open-sourced in 2008) to Winos4.0 (the modern framework). The Gh0stKCP match is particularly interesting because it indicates the use of KCP, an ARQ (Automatic Repeat reQuest) protocol that provides reliable, ordered delivery over UDP. This is more sophisticated than raw TCP for C2 communication -- it handles packet loss and reordering at the application layer, making it more resilient on unreliable network paths and harder to detect than standard TCP sessions.

The Cobalt Strike overlap (cobalt_strike_tmp01925d3f) is a false positive -- the shellcode techniques (PEB walking, API hashing, position-independent code) are shared between Cobalt Strike and ValleyRAT because they both draw from the same well-documented tradecraft. ReversingLabs' detection as Win32.Trojan.CobaltStrike reflects the same signature overlap.

The DebuggerCheck__API match confirms that IsDebuggerPresent is called before execution proceeds. This explains why ANY.RUN reported "No threats detected" -- the sample detected the sandbox environment and refused to execute its payload. Triage, by contrast, scored it 10/10 and successfully extracted the C2 configuration, indicating that Triage's instrumentation either patches the IsDebuggerPresent check or operates at a level the malware does not detect.

Attribution: Silver Fox with High Confidence

The attribution chain for this sample is unusually clean:

ValleyRAT/Winos4.0 framework -- exclusively Chinese-origin malware, not available as a MaaS offering to non-Chinese operators
Chinese UTF-16LE strings in the configuration block, meaning "default" in Simplified Chinese
Gname.com registrar (Singapore) -- overwhelmingly used by Chinese registrants
Alibaba Cloud and Tencent Cloud hosting -- Chinese cloud providers requiring Chinese identity verification
Hong Kong and Singapore infrastructure staging -- typical Chinese APT jump points
Culturally meaningful domain naming -- Chinese transliterations and auspicious numbering patterns
Shared DNS infrastructure (share-dns.net/com) -- Gname's nameservers

ValleyRAT has been consistently attributed to the Silver Fox threat actor cluster by multiple vendors including Triage, Malpedia, and eSentire. Silver Fox operates at the boundary between APT and cybercrime -- they use sophisticated tooling (Winos4.0 framework, custom shellcode, UAC bypass chains) but target victims opportunistically rather than strategically. Their primary targets are Chinese-speaking users, particularly in fintech, gaming, and e-commerce verticals.

The Operator Timeline

Mapping the infrastructure setup against sample compilation and submission reveals a clear operational cadence:

Date	Event
2025-06-22	wang1wangxiao[.]com registered -- earliest infrastructure in this cluster
2025-09-15	msthiyun[.]com registered via Gname.com
2026-01-08	wentianskw168[.]com registered via Gname.com
2026-02-26	dajinylf1[.]top and dajinylf3[.]top registered same day via Gname.com
2026-03-04	dajinylf1[.]top receives dual LE + Sectigo certificates
2026-03-05	2akks6668[.]com registered via Cloudflare (registrar diversification)
2026-03-06	First March 2026 wave C2 IPs appear on ThreatFox
2026-03-07	Campaign escalation -- 8 new C2 IPs reported in 24 hours
2026-03-08 00:59 UTC	TEDDY2012 RDP certificate issued -- this VPS provisioned
2026-03-09 13:21 UTC	Shellcod.exe compiled
2026-03-10 09:40 UTC	Sample uploaded to MalwareBazaar

The acceleration from March 6 onward is notable. Eight new C2 IPs in a single day (March 7) suggests either a planned infrastructure expansion or a reaction to takedown activity on earlier nodes. The operator registered 2akks6668[.]com through Cloudflare instead of Gname on March 5 -- possibly because they became aware that the Gname pattern was being tracked, or simply because Cloudflare's onboarding is faster.

MITRE ATT&CK Coverage

Tactic	Technique	ID	Implementation
Execution	Command and Scripting Interpreter	T1059	In-memory shellcode execution
Persistence	Boot or Logon Autostart	T1547	Loader capability present (disabled in this build)
Privilege Escalation	Bypass UAC	T1548.002	ICMLuaUtil COM + CMSTP COM interfaces
Defense Evasion	Obfuscated Files	T1027	XOR 0x44 encryption on config and shellcode
Defense Evasion	Deobfuscate/Decode	T1140	Runtime XOR decryption of .data section
Defense Evasion	Dynamic Resolution	T1106	API hashing for ntdll, Ws2_32, kernel32, advapi32, user32
Defense Evasion	Debugger Evasion	T1622	IsDebuggerPresent check
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Sandbox detection (ANY.RUN evasion confirmed)
Discovery	System Information Discovery	T1082	Host survey capability (hs flag)
Discovery	Process Discovery	T1057	Process enumeration behavior
Discovery	Peripheral Device Discovery	T1120	Drive enumeration
Collection	Input Capture: Keylogging	T1056.001	SetWindowsHookEx-based keylogger (lk flag)
Collection	Screen Capture	T1113	Screenshot capability (hs flag)
Command and Control	Non-Standard Port	T1571	Port 6666 primary C2
Command and Control	Multi-Channel	T1104	Three channels: 6666, 8888, 80
Command and Control	Application Layer Protocol	T1071	HTTP fallback on port 80

IOC Table

File Indicators

Type	Value
SHA256	`490a5bf534bc615c35443551adf8e23208a2b89b694cbeaa678f5206117b053c`
MD5	`31ab710b59f896d44fd2ed8ce7faaf3c`
SHA1	`7914a2de3e4ce421dca51154d5cad9c4221b21f7`
Imphash	`bf5235ce41f501cf894253dbc248cbbf`
SSDEEP	`1536:sgExk7BzUpD+/d8VqQXt/MH6CX+bnWNTTKDdX71NL4HQAvN6pm3ZoHnSsWcg2cdI:xL428VqoFMHz+KNTTKDRrLAQAvNl3Zo3`
Campaign Marker	`codemark`
Original Filename	`Shellcod.exe`

Network Indicators (This Sample)

Type	Value	Context
C2	`207.148.123[.]69:6666`	Primary C2 (LIVE at time of analysis)
C2	`207.148.123[.]69:8888`	Secondary C2
C2	`207.148.123[.]69:80`	HTTP fallback
RDP	`207.148.123[.]69:3389`	Operator access (CN=TEDDY2012)
ASN	AS20473	Vultr/Choopa LLC, Singapore

Network Indicators (Campaign-Wide)

154.211.5[.]176:6666        108.187.7[.]20:996          206.238.115[.]154:6666
154.211.5[.]176:8888        108.187.7[.]20:997          119.28.70[.]225:80
119.28.70[.]225:983          119.28.70[.]225:5860        161.248.87[.]157:4499
161.248.87[.]175:7777        8.219.93[.]253:5201         38.76.193[.]60:80
38.76.193[.]60:5554          8.217.149[.]107:8888        108.187.4[.]192:448
154.86.19[.]38:9001          47.86.111[.]52:9090         43.98.243[.]193:8888
108.187.7[.]232:6666         108.187.7[.]232:8888        20.255.52[.]78:80
20.255.52[.]78:443           198.44.251[.]110:80         198.44.251[.]110:6666
198.44.251[.]110:8888        47.236.232[.]206:6003       192.163.168[.]59:447
108.187.40[.]191:447         103.215.77[.]16:4499        137.220.154[.]94:54411

Domain Indicators

Domain	Registrar	Created	Notes
msthiyun[.]com	Gname.com	2025-09-15	Resolves to 47.86.111[.]52
wentianskw168[.]com	Gname.com	2026-01-08	Resolves to 47.86.111[.]52
dajinylf1[.]top	Gname.com	2026-02-26	Dual LE + Sectigo certs
dajinylf3[.]top	Gname.com	2026-02-26	Registered same day as dajinylf1
2akks6668[.]com	Cloudflare	2026-03-05	Registrar diversification
wang1wangxiao[.]com	Key-Systems	2025-06-22	Oldest infrastructure in cluster

Behavioral Indicators

Indicator	Value
XOR Key	`0x44`
RDP Hostname	`TEDDY2012`
OS Version	Windows Server 2012 R2 (6.3.9600)
Campaign Marker	`codemark`
PE Original Filename	`Shellcod.exe`

YARA Detection Rules

Rule 1: ValleyRAT S2 Shellcode Loader -- Codemark Campaign

This rule targets the specific "codemark" campaign variant by matching the XOR-encoded campaign marker, configuration flags, shellcode prologue, and API hashes. It will detect both the encoded and plaintext forms of the campaign identifier.

rule ValleyRAT_S2_ShellcodeLoader_Codemark {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-10"
        description = "Detects ValleyRAT Stage 2 shellcode loader with codemark campaign ID"
        family = "ValleyRAT"
        malware_type = "RAT"
        mitre_attack = "T1059.001, T1027, T1055"
        hash = "490a5bf534bc615c35443551adf8e23208a2b89b694cbeaa678f5206117b053c"
        tlp = "WHITE"

    strings:
        // "codemark" XOR 0x44
        $codemark_xor = { 27 2B 20 25 29 23 36 2F }
        $codemark_plain = "codemark" ascii

        // "ntdll" XOR 0x44
        $ntdll_xor = { 2A 30 20 28 }

        // "Ws2_" XOR 0x44
        $ws2_xor = { 13 37 76 1B }

        // Pipe-delimited UTF-16LE config flags: |0:db|
        $config_flags = { 7C 00 30 00 3A 00 64 00 62 00 7C }

        // |1:lk| (keylogger enabled)
        $flag_lk = { 7C 00 31 00 3A 00 6C 00 6B 00 7C }

        // |1:hs| (host survey enabled)
        $flag_hs = { 7C 00 31 00 3A 00 68 00 73 00 7C }

        // Chinese "default" characters
        $chinese_default = { A4 8B D8 9E }

        // Shellcode prologue XOR 0x44
        $shellcode_prologue_xor = { 11 CF A8 C7 A0 BC C5 A8 }

        // API hash push patterns
        $api_hash_1 = { 68 54 B8 B9 1A E8 }
        $api_hash_2 = { 68 78 1F 20 7F }

        // PE metadata
        $shellcod = "Shellcod.exe" wide
        $copyright = "Copyright (C) 202" wide

    condition:
        uint16(0) == 0x5A4D and
        filesize < 200KB and
        (
            ($codemark_xor or $codemark_plain) or
            (2 of ($config_flags, $flag_lk, $flag_hs)) or
            ($shellcode_prologue_xor and ($ntdll_xor or $ws2_xor)) or
            ($shellcod and $copyright and any of ($api_hash_*)) or
            $chinese_default
        )
}

Rule 2: ValleyRAT XOR 0x44 Configuration Block

A broader detection for ValleyRAT binaries using XOR 0x44 encryption on their configuration, regardless of campaign marker. Matches on the XOR-encoded port values for 6666 and 8888 combined with the encoded campaign marker structure.

rule ValleyRAT_S2_Config_XOR44 {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-10"
        description = "Detects ValleyRAT XOR 0x44 encrypted configuration block"
        family = "ValleyRAT"

    strings:
        // Port 6666 XOR 0x44
        $port_6666_xor = { 4E 5E 44 44 }
        // Port 8888 XOR 0x44
        $port_8888_xor = { FC 66 44 44 }
        // Campaign marker structure (XOR 0x44)
        $marker = { 27 2B 20 25 29 23 36 2F }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 500KB and
        $marker and
        any of ($port_*)
}

Rule 3: ValleyRAT Campaign C2 IP Detection

Network-level detection for known ValleyRAT C2 addresses, matching both plaintext and XOR-encoded IP strings within PE binaries.

rule ValleyRAT_C2_IP_Pattern {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-10"
        description = "Detects known ValleyRAT C2 IP addresses in PE binaries"
        family = "ValleyRAT"

    strings:
        // 207.148.123.69 XOR 0x44
        $c2_207_xor = { 76 74 73 6E 75 74 72 6E 75 76 73 6E 76 2D }
        $c2_207_plain = "207.148.123.69" ascii
        $c2_154 = "154.211.5.176" ascii
        $c2_108a = "108.187.7.20" ascii
        $c2_206 = "206.238.115.154" ascii
        $c2_119 = "119.28.70.225" ascii
        $c2_198 = "198.44.251.110" ascii
        $c2_38 = "38.76.193.60" ascii

    condition:
        any of them
}

Sandbox Reports

MalwareBazaar
Triage -- Score 10/10, C2 config extracted
CAPE Sandbox
ANY.RUN -- No threats detected (sandbox evasion)
UnpacMe

References

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."