Back to Intelligence

Multi-Actor APT Campaigns Targeting Banking & Infrastructure: ValleyRAT, Havoc, and Supply Chain Attacks — Detection & Response Brief

SA
Security Arsenal Team
July 10, 2026
6 min read

Threat Summary

Recent OTX pulse data reveals a sophisticated multi-vector threat landscape characterized by three significant campaign clusters:

  1. Financial Sector Targeting: APT groups including SilverFox, Mustang Panda, and Amaranth-Dragon are orchestrating coordinated campaigns against the Indonesian Banking, Financial Services, and Insurance (BFSI) sector, leveraging advanced malware frameworks including ValleyRAT, Havoc, and Cobalt Strike.

  2. Hacktivist Expansion: Groups including 4BID, Hakerskii Kit, and C.A.S. are expanding their operations beyond political targets to critical infrastructure in healthcare, government, and manufacturing sectors across Russia, Belarus, Kazakhstan, UAE, Syria, and Egypt.

  3. Supply Chain Compromise: A sophisticated attack targeting cryptocurrency developers through a compromised npm package (injective-sdk@1.20.21) designed to exfiltrate wallet keys and mnemonic phrases.

These campaigns demonstrate clear financial and espionage motivations, with attackers actively exploiting CVE-2025-8088 and ProxyShell vulnerabilities as initial access vectors before establishing persistent C2 channels.

Threat Actor / Malware Profile

ValleyRAT

  • Distribution: Phishing campaigns targeting financial institutions with malicious documents
  • Payload Behavior: Remote access capabilities, data exfiltration, screen capture
  • C2 Communication: HTTP/HTTPS to domains like emezonhe.me, skycloudcenter.com, dog3rj.tech
  • Persistence: Registry modification, scheduled tasks, WMI event consumers
  • Anti-analysis: Code obfuscation, anti-debugging techniques, VM detection

Havoc Framework

  • Distribution: Post-exploitation deployment after initial access
  • Payload Behavior: Command execution, lateral movement, credential dumping
  • C2 Communication: Encrypted TCP channels over non-standard ports
  • Persistence: Service creation, registry modification, DLL search order hijacking
  • Anti-analysis: Process hollowing, memory evasion techniques

Compromised npm Package

  • Distribution: Supply chain compromise via malicious injective-sdk@1.20.21
  • Payload Behavior: Hooks key generation functions to capture wallet data
  • C2 Communication: Exfiltrates sensitive data to testnet.archival.chain.grpc-web.injective.network
  • Persistence: Persists in node_modules directory of compromised projects
  • Anti-analysis: Limited, relies on developer environment execution

IOC Analysis

The provided indicators include:

  • File Hashes: SHA256 (e.g., 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a) and MD5 hashes for malware samples
  • Domains: C2 infrastructure including emezonhe.me, skycloudcenter.com, dog3rj.tech, q74vn.live
  • IPv4 Addresses: C2 infrastructure at 188.127.251.171, 59.110.7.32
  • CVEs: CVE-2025-8088, CVE-2023-44976
  • URLs: Malicious endpoints like https://testnet.archival.chain.grpc-web.injective.network
  • Hostnames: Associated with C2 infrastructure and exfiltration endpoints

SOC teams should:

  1. Add IPs and domains to firewall blocklists immediately
  2. Configure EDR solutions to block identified file hashes
  3. Use threat intelligence platforms to correlate IOCs with internal telemetry
  4. Deploy network analysis tools to identify C2 traffic patterns
  5. Utilize malware analysis platforms for further investigation of samples

Detection Engineering

YAML
---
title: ValleyRAT C2 Traffic Detection
id: 47f8d294-c5ce-42b8-9b1a-6d6a9c1d8e3e
description: Detects C2 communication patterns associated with ValleyRAT malware
status: experimental
author: Security Arsenal
date: 2026/07/10
references:
    - https://otx.alienvault.com/pulse/67a7b4d6e1b70d4a0d8c9e3a7c4b1d8e
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: zeek
    service: http
detection:
    selection:
        uri|contains:
            - '/api/v1'
            - '/cmd'
        host|endswith:
            - '.tech'
            - '.live'
    filter:
        user_agent|contains:
            - 'Mozilla'
            - 'Windows'
    condition: selection and not filter
falsepositives:
    - Legitimate API traffic to tech domains
level: high
---
title: Havoc Framework Process Injection
date: 2026/07/10
description: Detects potential process injection techniques used by Havoc framework
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67a7b4d6e1b70d4a0d8c9e3a7c4b1d8e
tags:
    - attack.defense_evasion
    - attack.t1055.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'Process'
        AccessMask|contains:
            - 'PROCESS_VM_WRITE'
            - 'PROCESS_VM_OPERATION'
        SubjectUserName|contains:
            - 'SYSTEM'
            - 'ADMIN'
    condition: selection
falsepositives:
    - Legitimate system administration tools
level: high
---
title: Malicious NPM Package Wallet Key Exfiltration
date: 2026/07/10
description: Detects suspicious network activity from compromised Injective SDK npm package
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67a7b4d6e1b70d4a0d8c9e3a7c4b1d8e
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    product: azure
    service: azureactivity
detection:
    selection:
        OperationName|contains: 'Microsoft.Network/networkSecurityGroups/write'
    filter:
        CallerIpAddress|contains:
            - 'injective.network'
            - 'grpc-web'
    condition: selection and not filter
falsepositives:
    - Legitimate development activity
level: high


kql
// Hunt for ValleyRAT C2 traffic
DeviceNetworkEvents
| where RemoteUrl in ("emezonhe.me", "skycloudcenter.com", "dog3rj.tech", "q74vn.live") 
   or RemoteIP in ("188.127.251.171", "59.110.7.32")
| summarize count() by DeviceName, RemoteUrl, RemoteIP
| sort by count_ desc

// Hunt for Havoc Framework process injection
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "powershell" and 
   ProcessCommandLine contains "Invoke-WebRequest" and
   ProcessCommandLine contains any("emezonhe.me", "skycloudcenter.com", "dog3rj.tech", "q74vn.live")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName

// Hunt for compromised npm package activity
DeviceFileEvents
| where SHA256 in ("103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0", 
                   "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for ProxyShell exploitation indicators
DeviceProcessEvents
| where ProcessName endswith "powershell.exe" and
   ProcessCommandLine contains "Set-Mailbox" and
   ProcessCommandLine contains "-WindowsEmailAddress"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine


powershell
# IOC Hunt for ValleyRAT and Havoc Framework
$C2Domains = @("emezonhe.me", "skycloudcenter.com", "dog3rj.tech", "q74vn.live", "testnet.archival.chain.grpc-web.injective.network")
$C2IPs = @("188.127.251.171", "59.110.7.32")
$MaliciousHashes = @(
    "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a",
    "103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
    "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"
)

# Check for network connections to C2 infrastructure
Write-Host "Checking for connections to known C2 infrastructure..." -ForegroundColor Yellow
Get-NetTCPConnection | Where-Object {
    $C2IPs -contains $_.RemoteAddress
} | Format-Table

# Check for malicious files
Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | Where-Object {
        $MaliciousHashes -contains $_.Hash
    } | Select-Object FullName, Hash
}

# Check for suspicious scheduled tasks
Write-Host "Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {
    $_.TaskName -like "*update*" -or 
    $_.TaskName -like "*service*" -or 
    $_.Actions.Execute -like "*powershell*"
} | Select-Object TaskName, TaskPath, Actions

# Check DNS cache for C2 domains
Write-Host "Checking DNS cache for C2 domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object {
    $C2Domains -contains $_.Entry
} | Format-Table

# Check for compromised npm package
Write-Host "Checking for compromised npm package..." -ForegroundColor Yellow
$NpmPackages = Get-ChildItem -Path "C:\Users\*\AppData\Roaming\npm" -Recurse -ErrorAction SilentlyContinue
foreach ($Package in $NpmPackages) {
    if ($Package.Name -like "*injective*" -and $Package.Version -eq "1.20.21") {
        Write-Host "Potential malicious package found: $($Package.FullName)" -ForegroundColor Red
    }
}

Response Priorities

Immediate:

  • Block all identified C2 domains and IP addresses at the perimeter firewall
  • Implement endpoint controls for all file hashes provided
  • Initiate threat hunting for process injection patterns characteristic of Havoc
  • Check for the malicious npm package (injective-sdk@1.20.21) in all development environments

24h:

  • Perform identity verification and password resets for credentials potentially stolen by ValleyRAT
  • Review logs for evidence of data exfiltration to identified endpoints
  • Audit npm package dependencies across all development projects
  • Isolate systems showing signs of compromise for forensic analysis

1 week:

  • Patch CVE-2025-8088 and ProxyShell vulnerabilities across all Microsoft Exchange servers
  • Implement strict package verification for all npm dependencies
  • Conduct phishing awareness training focused on financial sector threats
  • Deploy honeytokens in development environments to detect supply chain attacks

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvalleyrathavoc-frameworkapt-campaignsbanking-attackssupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.