ValleyRAT is being used to exfiltrate sensitive data from compromised systems through covert network communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gxfsxs.cn | botnet_cc | 2026-05-23 | 100% |
| domain | zythdolm.cn | botnet_cc | 2026-05-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["gxfsxs.cn", "zythdolm.cn"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is configured to run a maintenance script that includes a file path matching a ValleyRAT IOC.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks.exe /create"
Scenario: Log File Analysis by SIEM Tool
Description: A SIEM tool like Splunk or ELK is parsing log files and includes a log entry that matches a ValleyRAT IOC due to a benign string in the log message.
Filter/Exclusion: process.name == "splunkd.exe" or process.name == "logstash.exe" or process.name == "elasticsearch.exe"
Scenario: Admin Using PowerShell for Scripting
Description: A system administrator is using PowerShell to run a script that includes a file or command line string that matches a ValleyRAT IOC.
Filter/Exclusion: process.name == "powershell.exe" and process.user contains "Domain\Administrator"
Scenario: Antivirus Quarantine Process
Description: An antivirus tool like Bitdefender or Kaspersky is quarantining a file that matches a ValleyRAT IOC, but the file is a legitimate, previously flagged benign file.
Filter/Exclusion: process.name contains "bitdefender" or process.name contains "kavservice" or process.name contains "avgnt"
Scenario: Database Backup Job Execution
Description: A database backup job using SQL Server Agent or Oracle Scheduler is running and includes a file path or command that matches a ValleyRAT IOC.
Filter/Exclusion: process.name == "sqlservr.exe" or process.name == "oracle.exe" or `process.command_line