ValleyRAT Goes West: SilverFox APT Pivots C2 Infrastructure to US-Based VPS Providers

TL;DR

A new ValleyRAT Stage 2 sample (SHA256: ac88b82e...) reveals SilverFox APT shifting C2 infrastructure from its traditional Tencent Cloud stronghold to Western VPS providers — specifically ANTBOX Networks (Hong Kong shell) reselling through SpeedVM/LeaseKVM (US). The confirmed C2 at 108.187.4.252 uses atypical ports 447/448 instead of the well-documented 6666/8888, and operates as a bare-IP C2 with zero DNS trail. Static analysis yielded a false C2 candidate (1.78.4.252) due to the sample's obf::case_instruction compile-time control-flow flattening — only sandbox detonation revealed the true callback address.

---

Sample Overview

Field	Value
SHA256	ac88b82ebc65a8285c993396560c30fbb9d16c260e026e25eb036e028764e013
MD5	0749f54e08134cd9116bc19a070df0e7
SHA1	8a49fd4239714e6ac6e78815db8ff7baee84f78b
Size	18,824,040 bytes (18.0 MB)
Type	PE32+ (x64), MinGW/GCC cross-compiled from C:/crossdev/
Family	ValleyRAT Stage 2 (ValleyRAT_S2)
Signature	GlobalSign GCC R45 EV Code Signing CA 2020
Obfuscation	obf::case_instruction control-flow flattening
Decoy	16.9 MB PPTX — "30-Day Counter-Clockwise Europe Travel Guide" (WPS Presentation, locale 2052 = Simplified Chinese)

The binary is EV code-signed and ships a full PowerPoint decoy document to maintain user trust during infection. The PPTX metadata confirms Chinese-language authoring via WPS Office — consistent with SilverFox targeting Chinese-speaking victims.

---

Static Analysis vs. Dynamic Reality

This sample demonstrates why sandbox detonation remains essential for obfuscated malware. The obf::case_instruction framework applies compile-time control-flow flattening that defeated static config extraction.

What Static Analysis Found (Incorrect)

Config markers were identified at two offsets within the binary:

Offset 0x42c14e  →  "N|I:" marker (within high-entropy XOR-encrypted block)
Offset 0xcf61b4  →  "G|i:" marker (within high-entropy XOR-encrypted block)

These match the known ValleyRAT |key:value| config format (e.g., |i:<IP>|p:<port>|t:<protocol>|). Applying known XOR keys (0x36 per Zscaler, 0x27 per Splunk) yielded a candidate IP of 1.78.4.252 on port 801. However, this sample uses XOR key 0xdc — the standard keys produced garbage, and the candidate IP was a decoding artifact.

What Sandbox Execution Confirmed

Neither 108.187.4.252 nor 1.78.4.252 appear as plaintext or raw 4-byte network-order IP anywhere in the binary. The obf:: framework fully encrypts the config at compile time.

Hatching Triage detonation (Windows 10 and Windows 11) scored 10/10 malicious with 12 behavioral signatures triggered per run:

C2 Channel Architecture:
  108.187.4.252:447/tcp  →  Registration/probe port (0 bytes received)
  108.187.4.252:448/tcp  →  Primary data channel
                             Run 1: ~316 KB received, ~5.6 KB sent
                             Run 2: ~755 KB received (extended session)

The dual-port architecture — 447 for handshake/registration, 448 for command-and-control — is a departure from typical ValleyRAT single-port configurations documented in prior research.

The Debunked Candidate: 1.78.4.252

Check	Result
RDAP	NTT DOCOMO (Japanese mobile carrier), AS9605
Shodan	404 — no open ports, no services
OTX	0 pulses, 0 reputation, 0 malware associations
pDNS	No records
Port 801 probe	TCP connection refused

A Japanese mobile carrier IP with zero threat intel footprint. This is not C2 infrastructure — it was a static analysis red herring caused by applying incorrect XOR decryption parameters.

---

Confirmed C2 Infrastructure: 108.187.4.252

Hosting Chain

108.187.4.252
  └── ANTBOX NETWORKS LIMITED (Hong Kong shell entity)
        RM C, 7/F, World Trust Tower, 50 Stanley Street, Central, HK
        abuse@antboxnetwork.com
        └── SpeedVM Network Group LLC / LeaseKVM (parent)
              5716 Corsa Ave., Suite 110, Westlake Village, CA 91362, US
              abuse@leasekvm.com
              NOC: leasekvm@outlook.com, +1-520-432-0686
              └── AS395954 (LeaseWeb USA, Inc.)
                    NET-108-187-0-0-2 (/21, 2,048 IPs)
                    Allocated: 2025-05-26

Key observations:

• Zero prior reputation — no OTX pulses, no Shodan data, no passive DNS records. This IP was provisioned specifically for this campaign.
• No domain resolution — pure IP-based C2 eliminates DNS-layer detection opportunities.
• HK/US layering — Hong Kong shell company reselling from a US-based low-cost VPS provider. SpeedVM/LeaseKVM is a known budget hosting provider popular with threat actors.
• The /21 block was allocated 2025-05-26, giving the operators ~9 months of clean reputation before first observed use (2026-03-04).

---

Infrastructure Pivot: Tencent Cloud to Western VPS

Historical ValleyRAT C2 infrastructure has been overwhelmingly concentrated on Tencent Cloud:

HISTORICAL C2 (Tencent Cloud):
  119.28.41.143     119.28.32.143
  124.156.134.223   43.132.212.111
  101.33.117.200    43.129.233.99
  43.129.233.146    43.132.235.4

This sample's pivot to ANTBOX/SpeedVM represents one of three scenarios:

1. Infrastructure diversification — SilverFox is deliberately moving away from Chinese cloud providers to evade geolocation-based blocking
2. Builder proliferation — the ValleyRAT builder has been publicly available since March 2025 (per Check Point); a different operator may be using it independently
3. Campaign-specific rotation — temporary infrastructure for a targeted operation before returning to established providers

The shift from Tencent Cloud to a US-leased /21 block with a Hong Kong shell registrant is operationally significant — it bypasses network policies that block Chinese ASNs while maintaining the anonymity layer through offshore corporate structures.

---

Behavioral Analysis

MITRE ATT&CK Mapping

Technique	ID	Observed Behavior
Peripheral Device Discovery	T1120	Drive enumeration (B: through Z:)
Query Registry	T1012	Processor info, BIOS info (3 queries)
System Information Discovery	T1082	System fingerprinting (3 queries)
Process Injection	T1055	WriteProcessMemory into explorer.exe
Input Capture: Keylogging	T1056.001	SetWindowsHookEx (keyboard/message hooks)
Clipboard Data	T1115	AddClipboardFormatListener

Injection Chain

The sample performs a two-stage injection:

1. POWERPNT.EXE — code injected into the PowerPoint process spawned by the PPTX decoy, providing legitimate process cover
2. explorer.exe — WriteProcessMemory injection into the Windows shell for persistent C2 communication

Connectivity checks observed during execution:

https://cdn.soft.360.cn/static/json/index/index_jisu_1.0.json   → Qihoo 360 AV check
https://www.baidu.com/s?ie=utf-8                                 → Internet connectivity

Both URLs are legitimate Chinese services — the 360 check likely determines whether Qihoo 360 antivirus is present (and should be evaded), while the Baidu query confirms outbound connectivity before attempting C2 callback.

---

Port Selection Analysis

Port 447/448 is atypical for ValleyRAT. Documented C2 ports across the variant landscape:

Port	Source	Notes
5689	Fortinet, Splunk	Most commonly observed
6666	Zscaler ThreatLabz	—
8888	Zscaler ThreatLabz	—
8917	Forescout	Alibaba Cloud campaign
18852	ReliaQuest	CTG Server campaign
447/448	This sample	Dual-port, registration + data

The ValleyRAT builder supports arbitrary port configuration via the |p:<port>| config parameter. Ports 447/448 sit adjacent to HTTPS (443) — possibly chosen to blend with TLS traffic in network logs, or to pass through firewalls that allow the 443-449 range.

---

Related SilverFox Infrastructure

Domain: usd56789.com

usd56789.com  →  154.86.19.38
  Registrar:    Hello Internet Corp (offshore privacy registrar)
  Registered:   2026-02-10
  NS:           ns1.hndnsv2.com, ns2.hndnsv2.com
  ASN:          AS399955 (CloudData Networks / Cloud Innovation Support)
  Location:     Seychelles entity, Hong Kong infrastructure
  OTX:          50 pulses — classified as Botnet C2
  Shodan:       Ports 80, 873 (rsync) open

Adjacent /24 block 154.86.18.0/24 hosts known ValleyRAT C2 154.86.18.75 (16 OTX pulses, APT/Cobalt tags, Windows RDP server with self-signed cert). The Cloud Innovation / AS399955 infrastructure is a confirmed SilverFox hosting preference.

Registrar overlap: Hello Internet Corp is the same registrar used by AMOS Stealer domains (systellis.com, wusetail.com). This is likely coincidental — Hello Internet Corp is a popular offshore privacy registrar used by many unrelated threat actors — but warrants monitoring.

Domain: cn-teams.com

cn-teams.com  →  204.0.57.217
  Registrar:    NameSilo, LLC
  Registered:   2025-05-06
  NS:           Cloudflare
  ASN:          AS2914 (NTT America)
  Shodan:       Ports 80, 443, 8888 (NGINX)

Fake Microsoft Teams distribution domain targeting Chinese-speaking users. ReliaQuest documented the mirror variant teamscn.com in the same SilverFox campaign distributing trojanized Teams installers.

---

SilverFox Infrastructure Patterns

Analysis across all known C2 infrastructure reveals consistent operational preferences:

Hosting Providers:

• Cloud Innovation / CloudData Networks (AS399955) — Seychelles/HK, 154.86.x.x / 154.23.x.x
• CTG Server LTD — 134.122.x.x
• Alibaba Cloud — 8.217.x.x, aliyuncs.com
• Tencent Cloud — 119.28.x.x, 43.129.x.x, 101.33.x.x
• Power Line Datacenter HK (AS132839) — 103.75.x.x
• [NEW] ANTBOX/SpeedVM (AS395954) — 108.187.x.x

Domain Registration: Hello Internet Corp, NameSilo

Operational Signatures:

• obf::case_instruction compile-time CFG flattening
• XOR-encrypted C2 configs (keys: 0x36, 0x27, 0xdc)
• codemark config marker, |key:value| format with reverse storage
• Dual redundant C2 (primary + fallback via p1/o1 and p2/o2 params)
• Registry persistence: HKCU\Software\Console\IpDateInfo
• BYOVD for endpoint evasion
• BaoTa/aaPanel on infrastructure (port 888)

---

Detection

YARA

rule family_valleyrat_stage_2_v2 — matched across multiple memory dumps in Triage sandbox

Splunk Detection

Splunk detection rule ac59298a-8d81-4c02-8c9b-ffdac993891f covers ValleyRAT behavioral indicators.

Network Signatures

# Outbound to atypical port pair (registration + C2 data)
alert tcp $HOME_NET any -> $EXTERNAL_NET 447 (msg:"Possible ValleyRAT C2 Registration"; flow:to_server,established; sid:10000001;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 448 (msg:"Possible ValleyRAT C2 Data Channel"; flow:to_server,established; sid:10000002;)

# Connectivity checks (pre-C2)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ValleyRAT 360 AV Check"; content:"cdn.soft.360.cn"; http_host; content:"/static/json/index/"; http_uri; sid:10000003;)

Registry Monitoring

# ValleyRAT persistence indicator
HKCU\Software\Console\IpDateInfo

---

IOCs

File Indicators

Type	Value
SHA256	ac88b82ebc65a8285c993396560c30fbb9d16c260e026e25eb036e028764e013
MD5	0749f54e08134cd9116bc19a070df0e7
SHA1	8a49fd4239714e6ac6e78815db8ff7baee84f78b
YARA	family_valleyrat_stage_2_v2
ClamAV	Win.Malware.Malwarex-10056465-0

Network Indicators — Confirmed C2

Type	Indicator	Context
IPv4	108.187.4.252	Primary C2 (sandbox-confirmed)
Port	447/tcp	C2 registration/handshake
Port	448/tcp	C2 data channel
ASN	AS395954	LeaseWeb USA (ANTBOX/SpeedVM)

Network Indicators — Related SilverFox Infrastructure

Type	Indicator	Context
Domain	usd56789.com	ValleyRAT C2, 50 OTX pulses
IPv4	154.86.19.38	usd56789.com hosting (Cloud Innovation)
IPv4	154.86.18.75	Known ValleyRAT C2, adjacent /24
Domain	cn-teams.com	Fake Teams distribution
IPv4	204.0.57.217	cn-teams.com hosting (NTT America)
IPv4	103.75.13.174	Power Line HK, MalwareBazaar-tagged C2
Domain	hotshang.com	ValleyRAT C2 domain
Domain	teamscn.com	SilverFox fake Teams (ReliaQuest)

Network Indicators — ANY.RUN Tracked C2 IPs

154.86.18.75    103.68.181.217   47.239.240.171   143.92.34.55
111.170.36.160  134.122.155.138  156.239.225.187  111.229.157.84
148.66.11.10    154.92.16.22     192.252.181.62   27.124.21.211
47.242.153.43   47.84.16.249     161.248.87.250   151.242.152.192
108.187.43.3    27.124.38.151    192.252.187.56   47.76.86.151

Network Indicators — Published Research C2 IPs

101.33.117.200  154.82.85.12     154.92.19.81     154.39.255.141
185.74.222.152  134.122.128.131  8.217.60.40      156.247.33.53
45.195.148.107  119.28.41.143    124.156.134.223  43.129.233.146
43.132.212.111  43.129.233.99    119.28.32.143    43.132.235.4
206.119.175.16

Connectivity Check URLs

https://cdn.soft.360.cn/static/json/index/index_jisu_1.0.json
https://www.baidu.com/s?ie=utf-8

ASN Blocklist

ASN	Provider	Usage
AS399955	CloudData Networks / Cloud Innovation	ValleyRAT C2 hosting
AS395954	LeaseWeb USA (ANTBOX/SpeedVM)	This sample's C2
AS132839	Power Line Datacenter HK	Historical ValleyRAT C2

---

References

• Hatching Triage: 260305-yrqwcsbs5x, 260305-yq7sgsbs4t
• Zscaler — Technical Analysis of Latest Variant of ValleyRAT
• OTX AlienVault: 108.187.4.252
• RDAP: ARIN 108.187.4.252, APNIC 1.78.4.252

---

Published by breakglass.intelligence — 2026-03-08