Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other reports Download PDF

Predicting ValleyRAT: Early Detection with First Watch

ValleyRAT is a multi-stage Remote Access Trojan (RAT) that primarily targets Chinese-speaking users and enterprises through coordinated phishing campaigns designed to gain complete control over infected systems and deploy additional malware. ValleyRAT was first discovered by Proofpoint researchers in 2023 and has since been observed in various campaigns.

According to research by Morphisec Threat Labs, the malware is distributed via malicious emails and websites. It comes disguised as legitimate software, such as Google Chrome, or as Microsoft Office documents. These files deliver a multi-component loader designed to bypass security measures.

The threat targets organizations across various industries using different approaches. In fact, at the time of writing (November 2025), the ThreatFox open IoC database contained about 1,000 entries, including 40 domain names associated with ValleyRAT that year. 

The WhoisXML API research team decided to look for more associated domains using our predictive threat intelligence solution, the First Watch Malicious Domains Data Feed.

Methodology

The goal of this research was to map out more of the attacker domain infrastructure, as well as verify that it could be predicted early using machine learning algorithms, in particular, with First Watch.

First Watch is an AI solution that analyzes all newly registered domains (NRDs) and uses continuously refined machine learning algorithms to look for suspicious domain registration patterns. It is trained on large datasets of known malicious domains so that it can spot domains that are likely to become malicious at the time of their registration, rather than only after they appear in traditional threat intelligence feeds.

If a domain ends up in the First Watch data feed, it doesn’t necessarily mean that it is guaranteed to become malicious. First Watch marks domains based on malicious intent behind their creation. Often, threat actors register more domains than they end up using, but the ones that are not used in a campaign were still created with the same malicious intent. First Watch detects such domains and marks them as likely to become malicious. 

To do that, it is trained to recognize patterns, such as:

  • bulk registration
  • algorithmically generated domain names (so-called DGAs)
  • TLD and registrar combinations associated with past threats
  • And more.

In this research, we want to achieve the following:

  1. Validate that the known IoC domains could be predicted at the time of their registration by First Watch.
  2. Look for other domains that were also identified by First Watch as likely to become malicious and are likely related to the same threat actor based on the similarities they exhibit and share with the known IoCs.
  3. Check the domains identified by First Watch against open threat intelligence sources to validate the malicious intent behind them. 

To achieve this, we use IoCs from ThreatFox that were added by other cybersecurity vendors or community members, who detected, researched, and attributed these IoCs to a specific threat actor.

1. Validation: Checking the IoCs Against First Watch

Firstly, we wanted to see if our predictive threat intelligence could anticipate that those domains listed in ThreatFox would be malicious. Although this evaluation is retrospective, the analysis relies on historical First Watch feed files that were generated at the time the domains were registered or shortly thereafter. This ensures that our review does not influence the results and reflects what First Watch surfaced at the moment of generation.

From the 40 IoC domains listed in ThreatFox, 23 were found in various First Watch Malicious Domains Data Feed files — the earliest dating back to November 10, 2024, and the most recent to October 18, 2025. All shortlisted domains appeared in First Watch before they were listed on ThreatFox — 2 to 277 days earlier than officially disclosed as IoCs.

The results support the idea that First Watch’s algorithms for analyzing registration patterns can surface potentially malicious domains at or near the moment they are created, often long before they appear in public threat intelligence reports as IoCs. They also suggest that some domains may be registered well in advance, months before they are weaponized, as part of the preparation for future malicious campaigns.

How many days earlier did First Watch detect the IoC domains before their appearance in Threatfox

2. High-Confidence Findings: Uncovering Additional IoCs 

Initial pattern analysis

Most of the domains identified by First Watch appear to have been created using domain generation algorithms (DGAs). Looking at them, it is possible to see that some of them exhibit certain patterns. 

For example, three of them begin with the string "ydbao," followed by some numbers, and use the .cyou TLD. Also, the WHOIS records of the .cyou IoC domains showed that they were all registered within seconds of each other on June 9, 2025 — another hint at algorithmic registration.

"ydbao" ValleyRAT IoC domains from ThreatFox

We found all three domains in the First Watch data feed dated June 10, 2025, just one day after registration, and 92 to 123 days earlier than they were first listed on ThreatFox.

IoC DomainFirst seen on ThreatFoxFirst seen on First WatchNo. of days between First Watch detection and listing on ThreatFox
ydbao4[.]cyouOctober 11, 2025June 10, 2025123
ydbao8[.]cyouSeptember 10, 2025June 10, 202592
ydbao6[.]cyouSeptember 19, 2025June 10, 2025101

In addition to that, on the same day, the predictive threat intelligence model behind First Watch identified 47 other domains with the same pattern. And one day later, it discovered 3 more “ydbao” domains, similar to the initial IoCs. Here are the domains:

  • ydbao40[.]cyou
  • ydbao42[.]cyou
  • ydbao32[.]cyou
  • ydbao22[.]cyou
  • ydbao33[.]cyou
  • ydbao41[.]cyou
  • ydbao20[.]cyou
  • ydbao19[.]cyou
  • ydbao29[.]cyou
  • ydbao12[.]cyou
  • ydbao34[.]cyou
  • ydbao46[.]cyou
  • ydbao2[.]cyou
  • ydbao18[.]cyou
  • ydbao10[.]cyou
  • ydbao17[.]cyou
  • ydbao43[.]cyou
  • ydbao9[.]cyou
  • ydbao31[.]cyou
  • ydbao5[.]cyou
  • ydbao54[.]cyou
  • ydbao24[.]cyou
  • ydbao48[.]cyou
  • ydbao14[.]cyou
  • ydbao36[.]cyou
  • ydbao30[.]cyou
  • ydbao27[.]cyou
  • ydbao28[.]cyou
  • ydbao44[.]cyou
  • ydbao23[.]cyou
  • ydbao26[.]cyou
  • ydbao37[.]cyou
  • ydbao3[.]cyou
  • ydbao7[.]cyou
  • ydbao35[.]cyou
  • ydbao52[.]cyou
  • ydbao38[.]cyou
  • ydbao21[.]cyou
  • ydbao15[.]cyou
  • ydbao50[.]cyou
  • ydbao11[.]cyou
  • ydbao47[.]cyou
  • ydbao25[.]cyou
  • ydbao1[.]cyou
  • ydbao16[.]cyou
  • ydbao39[.]cyou
  • ydbao45[.]cyou
  • ydbao13[.]cyou
  • ydbao49[.]cyou
  • ydbao55[.]cyou

They share not only the same strings and TLD, but also the same registrar and nameservers. In fact, like the initial three domains, they were all registered within seconds of each other (except for the three identified one day later, which were also registered simultaneously, but on a different date). 

"ydbao" IoC domains detected by First Watch
Additional "ydbao" IoC domains for ValleyRAT

These similarities allow us to hypothesize with a high level of confidence that they belong to the same threat actor and were registered to be a part of the same campaign. 

It is likely that the threat actor expected those domains to be discovered and blocked one by one, and wanted an easy way to rotate between domains to continue with the campaign — and for that, they probably registered a significant number of domains in advance. These domains could’ve been registered to be used as command & control (C2) servers between which the actor could’ve rotated, or as phishing infrastructure. 

Additional hypothesis validation

DNS connections

The connection between those domains is further validated by the fact that they shared some infrastructure. We ran these 50 domains (including the three original IoCs from ThreatFox) through the DNS Chronicle API to check their historical DNS resolutions and found that all of them had resolved to one IP address (95[.]173[.]197[.]195) on June 10, 2025. 

All but one domain (ydbao45[.]cyou) resolved to that same IP address again between June 29 and September 3, with 15 domains resolving to that IP twice over the same period. That reinforces our hypothesis that all these domains are part of the same ValleyRAT campaign used by the same threat actor.

Other IP addresses found on the “ydbao” domains’ DNS history were:

  • 103[.]156[.]25[.]253
  • 137[.]220[.]229[.]20
  • 14[.]128[.]63[.]155
  • 154[.]91[.]66[.]60
  • 118[.]107[.]44[.]96
Domain registration patterns exhibited by "ydbao" ValleyRAT IoC domains

Malicious intent validation

To validate our hypothesis about the malicious intent behind the domains, we checked the 50 newly discovered “ydbao” domains against the VirusTotal IoC database and found that 43 of them are known to be malicious by at least one vendor. Only seven domains were not flagged by any of the tools. 

How many "ydbao" ValleyRAT IoC domains are known to be malicious by vendors on VirusTotal

The fact most domains are known to have a malicious intent by at least one VirusTotal vendor suggests that they have likely been used by the threat actor and thus detected by the malware detection engines. 

Those that haven’t been detected previously likely were not used for malicious purposes for some reason, whether it’s because the threat actor has achieved their goal with other domains or because they decided to abandon the campaign. Or maybe, the threat actor hasn’t yet used them but may do so in the future. 

Whatever the reason is, the patterns in the domain names, registration data, and DNS data suggest that these domains are likely connected and were registered with the same malicious intent.

3. Exploring the Threat Actor’s Reliance on Domain Name Patterns

Looking at the IoC domains and the First Watch feed files, we were able to identify more patterns of bulk domain registrations that we can with high confidence attribute to the same threat actor. These patterns include:

  • Domains that contain “360news” in their domain name and share the .icu TLD (2 examples in the IoC list).
  • Domains starting with “xxx” and having a date in their name, all belonging to .com TLD (5 examples in the IoC list).
  • Domains starting with “shyda” in the .club TLD (1 example in the IoC list)

Exploring the “360news” pattern

In addition to two known IoCs, First Watch has identified nine more domains that have “360news” in their domain name and belong to the .icu TLD and marked them as likely to become malicious:

  • 360news11[.]icu
  • 360news5[.]icu
  • 360news4[.]icu
  • 360news7[.]icu
  • 360news6[.]icu
  • 360news9[.]icu
  • 360news1[.]icu
  • 360news8[.]icu
  • 360news3[.]icu

All of these domains, including the original IoCs, share the same registrar — Gname. All except one were registered on the same date, 2025-07-29, mere seconds apart (the other one, 360news11[.]icu, was registered on 2025-08-13). They also all have nameservers from SHARE-DNS.

When it comes to DNS patterns, some of these domains also shared the same IP address at some point. For example, 360news1[.]icu, 360news3[.]icu, and 360news5[.]icu all resolved to 47[.]242[.]113[.]81, while 360news7[.]icu and 360news8[.]icu shared 47[.]86[.]49[.]173. All of the “360news” domains, including the ones from the list of IoCs, resolved to IPv4 addresses starting with 47 at some point of their existence.

These similarities allow us to hypothesize with a high level of confidence that these domains belong to the same threat actor. 

domain registration patterns exhibited by "360news" ValleyRAT IoC domains

Checking the list of domains against VirusTotal showed that only two out of the nine additional “360news” domains are known to be malicious by at least one vendor, while the other seven remain undetected. However, all of them were identified by First Watch and added to the feed on 2025-07-30 (and on 2025-08-14 for 360news11[.]icu), within one day after registration.

Exploring the “xxx and date” pattern

Looking at the second pattern of domain names, with “xxx” and dates in their names, we were not able to find any additional domain names in the First Watch feeds that exhibit enough similarities to these ones.

The hypothesis that the known IoCs are connected can be supported by the facts that they share the same registrar, Gname, as well as the same name servers. Some of them also showed historical resolutions to the same IP address — 156[.]252[.]60[.]154.

Domain registration patterns exhibited by "xxx and date" ValleyRAT IoC domains

Exploring the “shyda” pattern

However, there’s another group of domains: those that have “shyda” in their names and are registered within .club TLD. In addition to shyda6317[.]club from the IoC list, First Watch has identified 4 more of such domains:

  • shyda6318[.]club
  • shyda6319[.]club
  • shyda6320[.]club
  • shyda6321[.]club

All of these domains share the same registrar — 22NET. Three of the “shyda” domains, including the original IoC, were registered almost at the same time on 2024-11-09, while the other two were also registered within seconds of each other, but almost five months later, on 2025-04-13. They all share the same nameservers though. 

These similarities again allow us to hypothesize that these domains are registered by the same threat actor for the same malicious purposes.

Domain registration patterns of "shyda" ValleyRAT IoC domains

All of these domains were identified by the machine learning algorithms of our predictive threat intelligence model and added to the First Watch data feed within one day after registration (on 2024-11-10 and 2025-04-14 respectively).

Two of the newly identified ones are known to be malicious by at least one VirusTotal vendor. 

Summary

Overall, among the 67 domains, likely associated with ValleyRAT, that were identified by First Watch based on patterns — but not listed on ThreatFox — 56 are known to be malicious by at least one VirusTotal vendor, while the remaining 11 were not flagged.

Overall percentage of known malicious domains (identified by at least one vendor on VirusTotal) in the ValleyRAT-associated domains identified by First Watch predictive threat intelligence

Our hypothesis is that the ones not known as malicious were not yet used in a malicious campaign, but likely registered in advance in bulk together with the rest to allow the threat actor to easily switch between them on the go.

Conclusion

Analyzing the domain IoCs attributed to ValleyRAT campaigns and using our predictive threat intelligence solution, First Watch, we have identified groups of domains that we can attribute to the same threat actor with a high level of confidence. 

Within their respective groups, these domains exhibit a lot of similarities, including patterns in the domain names, time and date of registration, WHOIS similarities such as same registrars and name servers, and sometimes shared infrastructure.

This suggests that the threat actor behind ValleyRAT relies on bulk domain registration using algorithms to generate domain names. Some they have already weaponized, while others, seemingly registered with the same intent, remain either abandoned or dormant. However, the use of DGA domains and patterns suggests that the threat actor prepares redundant infrastructure in advance. 

We’ve also shown that domain registration patterns such as the ones used for ValleyRAT campaigns can be identified by machine learning algorithms, such as the ones used in First Watch, which allows organizations to block the likely-to-become-malicious domains en-masse shortly after the domain registration, not waiting for the threat actor to weaponize them.

You can download a sample of the First Watch Malicious Data Feed here or contact us for a demo.

Appendix: Sample Artifacts

High-Confidence Sample String-Connected Domains

  • ydbao40[.]cyou
  • ydbao42[.]cyou
  • ydbao32[.]cyou
  • ydbao22[.]cyou
  • ydbao33[.]cyou
  • ydbao41[.]cyou
  • ydbao20[.]cyou
  • ydbao19[.]cyou
  • ydbao29[.]cyou
  • ydbao12[.]cyou
  • ydbao34[.]cyou
  • ydbao46[.]cyou
  • ydbao2[.]cyou
  • ydbao18[.]cyou
  • ydbao10[.]cyou
  • ydbao17[.]cyou
  • ydbao43[.]cyou
  • ydbao9[.]cyou
  • ydbao31[.]cyou
  • ydbao5[.]cyou
  • ydbao48[.]cyou
  • ydbao24[.]cyou
  • ydbao14[.]cyou
  • ydbao36[.]cyou
  • ydbao30[.]cyou
  • ydbao27[.]cyou
  • ydbao28[.]cyou
  • ydbao44[.]cyou
  • ydbao23[.]cyou
  • ydbao26[.]cyou
  • ydbao37[.]cyou
  • ydbao3[.]cyou
  • ydbao7[.]cyou
  • ydbao35[.]cyou
  • ydbao49[.]cyou
  • ydbao38[.]cyou
  • ydbao21[.]cyou
  • ydbao15[.]cyou
  • ydbao50[.]cyou
  • ydbao11[.]cyou
  • ydbao47[.]cyou
  • ydbao25[.]cyou
  • ydbao1[.]cyou
  • ydbao16[.]cyou
  • ydbao39[.]cyou
  • ydbao45[.]cyou
  • ydbao13[.]cyou
  • ydbao52[.]cyou
  • ydbao54[.]cyou
  • ydbao55[.]cyou
  • 360news11[.]icu
  • 360news5[.]icu
  • 360news4[.]icu
  • 360news7[.]icu
  • 360news6[.]icu
  • 360news9[.]icu
  • 360news1[.]icu
  • 360news8[.]icu
  • 360news3[.]icu
  • shyda6318[.]club
  • shyda6319[.]club
  • shyda6320[.]club
  • shyda6321[.]club
Latest Reports
Analyzing ATO Attacks Leveraging SquarePhish2 and Graphish | WhoisXML API

WhoisXML API found 130+ new artifacts connected to the SquarePhish2 and Graphish-enabled attacks. Download the threat research materials now.

Continue reading Download report
DNS Spotlight: The Silver Fox in the Henhouse | WhoisXML API

WhoisXML API found 46K+ new artifacts that could be connected to the Silver Fox attack leveraging ValleyRAT. Download the threat research materials now.

Continue reading Download report
An In-Depth Analysis of the Ashen Lepus AshTag-Enabled Attack | WhoisXML API

WhoisXML API found 80 new artifacts tied to Ashen Lepus’s AshTag campaign. Download the threat research materials now.

Continue reading Download report
Read other reports Download PDF
Try our WhoisXML API for free
Get started