Back to Intelligence

ValleyRAT & Injective SDK Supply Chain: OTX Pulse Analysis — Credential Theft Campaign

SA
Security Arsenal Team
July 10, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a surge in credential theft activity converging on the financial sector, specifically targeting Indonesian Banking, Financial Services, and Insurance (BFSI) institutions alongside cryptocurrency developers.

The campaigns are dual-faceted:

  1. APT-Style Financial Espionage: A coordinated effort by threat actors including SilverFox and Mustang Panda utilizing sophisticated malware families such as ValleyRAT, Cobalt Strike, and Havoc to compromise banking infrastructure. The objective appears to be persistent access for data exfiltration and financial surveillance.
  2. Supply Chain Crypto Theft: A critical compromise of the Injective Labs TypeScript SDK (npm package version 1.20.21). This supply chain attack weaponizes the development build process, embedding malicious code designed to hook into key generation functions and exfiltrate mnemonic phrases and private keys to attacker-controlled infrastructure.

Both campaigns highlight a pivot toward stealing high-value credentials—banking access keys and cryptocurrency wallets—facilitated either through direct phishing (ValleyRAT) or trusted developer tools (npm).

Threat Actor / Malware Profile

Malware: ValleyRAT

  • Distribution: Primarily delivered via spear-phishing campaigns targeting the finance sector, often using malicious attachments or links.
  • Payload Behavior: A remote access trojan (RAT) capable of screen capture, keylogging, and shell command execution. It is frequently used in conjunction with loaders like Amaranth Loader.
  • C2 Communication: Establishes connections to specific IP infrastructure (e.g., 188.127.251.171) and domains using custom protocols, often over HTTP/HTTPS to blend in with traffic.
  • Persistence: Utilizes registry run keys and scheduled tasks. Recent variants use RustSL and ShadowGuard for obfuscation.

Malware: Injective SDK Infostealer (Supply Chain)

  • Distribution: Published as a legitimate version 1.20.21 of the @injective/sdk npm package.
  • Payload Behavior: The malware hooks asynchronous functions responsible for wallet generation. When a user initializes a wallet using the compromised SDK, the private key and mnemonic are intercepted.
  • Exfiltration: Sensitive data is transmitted to specific hardcoded endpoints, notably testnet.archival.chain.grpc-web.injective.network.
  • Persistence: Not applicable to the file itself (execution is passive during build/runtime), but the compromise allows the actor to persist within the development environment of the victim, affecting all applications built with the library.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors, requiring a multi-layered defense approach:

  • Network Infrastructure (IPs/Domains): IOCs like emezonhe.me, skycloudcenter.com, and 188.127.251.171 are linked to C2 infrastructure for ValleyRAT and related APT tools. These should be blocked at the perimeter and proxy level. The domain testnet.archival.chain.grpc-web.injective.network is an exfiltration sinkhole for the crypto campaign.
  • File Hashes (SHA256):
    • 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a: Associated with ValleyRAT loader/dropper.
    • 103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0: Malicious file within the Injective npm package.
    • 9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9: Secondary artifact for the npm compromise.
  • CVE: CVE-2025-8088 is referenced as a potential exploit vector in the banking campaigns, likely for initial access or privilege escalation.

Operational Guidance: SOC teams should immediately ingest these IOCs into EDR and SIEM solutions. Focus on network egress alerts to the listed domains and file creation alerts matching the SHA256 hashes.

Detection Engineering

Sigma Rules

YAML
title: Suspicious Network Connection to ValleyRAT C2 Infrastructure
id: 8a9b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects network connections to known C2 infrastructure associated with the Indonesian Banking Sector threat landscape.
status: experimental
date: 2026/07/10
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp:
            - '188.127.251.171'
            - '59.110.7.32'
        DestinationHostname:
            - 'emezonhe.me'
            - 'skycloudcenter.com'
            - 'dog3rj.tech'
            - 'q74vn.live'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.t1071
---
title: Malicious Injective SDK File Creation
id: 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects the creation of files matching the SHA256 hashes of the compromised Injective SDK npm package.
status: experimental
date: 2026/07/10
author: Security Arsenal
logsource:
    category: file_event
    product: windows
detection:
    selection_hash:
        TargetFilename|contains: 'node_modules'
        Hashes|contains:
            - '103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0'
            - '9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9'
    condition: selection_hash
falsepositives:
    - Legitimate npm package installation (verify version)
level: high
tags:
    - attack.initial_access
    - attack.t1195
---
title: Potential ValleyRAT Loader Execution via PowerShell
id: 3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b
description: Detects patterns consistent with ValleyRAT droppers, typically involving PowerShell downloading payloads from suspicious TLDs or executing encoded commands leading to specific loader binaries.
status: experimental
date: 2026/07/10
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        ParentImage|endswith: '\powershell.exe'
        Image|endswith: ".exe"
        CommandLine|contains:
            - "-encodedcommand"
            - "DownloadString"
    selection_network:
        DestinationHostname|endswith:
            - '.me'
            - '.tech'
            - '.live'
    condition: 1 of selection*
falsepositives:
    - Administrative scripting
level: medium
tags:
    - attack.execution
    - attack.t1059.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known malicious infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("emezonhe.me", "skycloudcenter.com", "dog3rj.tech", "q74vn.live", "testnet.archival.chain.grpc-web.injective.network") 
   or RemoteIP in ("188.127.251.171", "59.110.7.32")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCSource = "OTX-Pulse-IndonesiaBanking"

// Hunt for file hashes associated with the campaigns
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in ("4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a", "103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0", "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| extend IOCSource = "OTX-Pulse-Infostealer"

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for ValleyRAT and Injective SDK Artifacts
# Run with Administrative Privileges

$IOC_Hashes = @(
    "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a",
    "103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
    "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Scan C: drive (adjust as needed)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($IOC_Hashes -contains $fileHash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            Write-Host "    Hash: $fileHash" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking network connections for C2 infrastructure..." -ForegroundColor Cyan

$C2_Domains = @("emezonhe.me", "skycloudcenter.com", "dog3rj.tech", "q74vn.live")
$C2_IPs = @("188.127.251.171", "59.110.7.32")

$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($conn in $connections) {
    $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
    $remoteAddr = $conn.RemoteAddress
    
    # Resolve IP to Hostname if necessary, simplified check here for IPs
    if ($C2_IPs -contains $remoteAddr) {
        Write-Host "[!] SUSPICIOUS CONNECTION: Remote IP $remoteAddr connected by $($process.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Red
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed IOCs (IPs, Domains, and Hashes) on perimeter firewalls, proxies, and EDR systems. Isolate any endpoints with positive hits for the SHA256 hashes.
  • 24 Hours: Conduct a forensic review of any systems identified with the @injective/sdk version 1.20.21. Rotate all cryptocurrency wallet keys and mnemonics that may have been generated or stored on affected developer machines. Review access logs for banking sector applications for anomalies linked to the listed APT actors.
  • 1 Week: Enforce strict dependency verification (SBOM) for software development pipelines. Implement application control to prevent the execution of unsigned binaries or those mimicking legitimate system tools (LOLBins) often used by ValleyRAT loaders.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvalleyratsupply-chain-attackcrypto-theftinfostealerapt-campaign

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.