Delphos LabsDelphos Labs

Jul 14, 2026

·
Security Research

Threat Intel:

A Chinese-language ValleyRAT stager, zero AV detections, pulling a second-stage payload from AWS S3, classified in 5 minutes, 24 hours before first signature.

Evgeny Pinchuk
EP
Evgeny Pinchuk
Cover ImageCover Image
On July 7, 2026, we analyzed a freshly uploaded Windows executable from MalwareBazaar that sat at zero detections across more than sixty antivirus engines. We started from the Windows executable itself and did not rely on a sandbox detonation, a prior signature, or a threat intel feed. From that binary alone, our automated analysis pipeline identified it as a Chinese RAT stager with an active AWS S3 payload delivery mechanism and a live C2 and update server. This was achieved using only static binary analysis and emulation.
Twenty-four hours later, antivirus vendors began labeling the sample as ValleyRAT. During that window, a signature-based stack would have treated the stager as clean, giving it a full day to run unimpeded.

Why did sixty engines report a known RAT as clean?

ValleyRAT is not new. Proofpoint, Fortinet, and Zscaler have tracked it since 2023, targeting Chinese-speaking finance, gaming, and cryptocurrency users. This build was new: fresh infrastructure, a new payload host, a new hash. A known family recompiled with new plumbing sits at zero detections until a vendor observes it and ships an update.
The detection gap is not a vendor failure. It is how signature-based defense works.
On this sample the gap was twenty-four hours, and every hour a sample sits at zero detections is an hour it works unimpeded.

What did the sample reveal?

The filename is the first tell. 点击此处跳转直螃蟹官网.exe translates roughly to "click here to visit the official Crab website." Here "Crab" refers to a real Chinese gaming website being impersonated, not the literal animal. This social-engineering lure targets Chinese-speaking users of a gaming platform, and it matches a documented delivery pattern in the Chinese-language cybercrime ecosystem.
 
Field
Value
SHA256
8cbf65f9c89d3306f6c3d0025d130579e175497316f321441d0dc04a77329e10
Size
3.2 MB
Type
PE64 Windows executable
First seen
2026-07-07 12:15 UTC
Vendor signatures at analysis
0 of 60+
 
Using only static analysis and emulation, no signatures, our pipeline surfaced networking imports (WinHTTP, sockets), process creation, cryptographic primitives, anti-analysis checks including debugger and VM detection, and a persistence mechanism. String extraction returned network indicators: the AWS S3 payload URL, and briansclub[.]mx, a domain associated with carding forums that serves as the second-stage C2 and update server. The clearest evidence is the behavioral chain: the executable retrieves a ZIP archive from S3, extracts it, and drops a randomized-name second-stage executable (FQDSZYB.exe). Total analysis time was roughly five minutes, fully automated, with no human intervention.
No signature was involved. The verdict came from imports, strings, control flow, and observed behavior.

What should defenders hunt for?

For this sample: block briansclub[.]mx at the DNS or proxy layer, watch for retrieval of the S3-hosted payload, and alert on processes that drop executables with randomized names such as the FQDSZYB pattern. Treat Chinese-language filenames referencing gambling or gaming platforms in executable downloads as a lure indicator worth escalating.

Indicators of compromise

  • SHA256: 8cbf65f9c89d3306f6c3d0025d130579e175497316f321441d0dc04a77329e10
  • Payload URL: hxxps://xjsjkjdsjjd[.]s3[.]ap-southeast-1[.]amazonaws[.]com/10014[.]zip
  • Dropped file: FQDSZYB.exe
  • Filename lure: 点击此处跳转直螃蟹官网.exe
  • C2 / update server: briansclub[.]mx

MITRE ATT&CK

T1204.002 User Execution: Malicious File; T1071.001 Application Layer Protocol: Web Protocols; T1105 Ingress Tool Transfer; T1547 Boot or Logon Autostart Execution; T1027 Obfuscated Files or Information; T1497 Virtualization/Sandbox Evasion.

What this tells us about the next zero-detection sample

The window between a sample landing in the wild and a vendor signaturing it is not a bug to be optimized away. It is inherent to any defense that classifies by prior exposure. As attackers automate the recompilation and re-hosting of known families, that window is where more of the risk concentrates.
Closing it means analyzing what compiled code does before anyone has a name for it.

This sample was analyzed on the Delphos Labs platform using static analysis, emulation, and behavioral classification. No signatures or YARA rules were used. The verdict was produced by automated analysis with no human intervention.
Analyze your own file here.
 

Company

About UsBlogSecurity Trust CenterBug Bounty ProgramVulnerability Research Policy

Account

Privacy PolicyTerms of Service

Help & Feedback

Contact SupportEmail Us

Social

LinkedInX

Copyright © 2026 Delphos Labs Inc.