Accordingly, the Department of Cyber Security and High-Tech Crime Prevention ( Hanoi City Police) discovered the Valley RAT malware linked to the control server address (C2): 27.124.9.13, port 5689, hidden in a file named "DRAFT RESOLUTION OF THE CONGRESS.exe".
Subjects took advantage of the activities of collecting opinions on draft documents to be submitted to the Congress to trick users into installing and performing dangerous acts such as stealing sensitive information, appropriating personal accounts, stealing documents, and spreading malware to other computers.
The analysis results show that after being installed on the user's computer, the malware will automatically execute every time the computer is started, connecting to a remote control server controlled by hackers, and from there continue to carry out the above dangerous actions.
Expand the review and detect other malicious files that are connected to the C2 server that hackers have recently spread: FINANCIAL REPORT2.exe or BUSINESS INSURANCE PAYMENT.exe; GOVERNMENT URGENT DISPATCH.exe; TAX DECLARATION SUPPORT.exe; PARTY ACTIVITY EVALUATION DISPATCH.exe or AUTHORIZATION FORM.exe; MINUTES OF REPORT FOR THE THIRD QUARTER.exe.
To proactively prevent, the Department of Cyber Security and High-Tech Crime Prevention recommends that people be vigilant and not download, install, or open files of unknown origin (especially executable files with extensions .exe, .dll, .bat, .msi, ...).
Check the information system of the unit and locality to detect suspicious files. If an incident is noted, isolate the infected machine, disconnect from the Internet and report to the National Cyber Security Center for support.
Scan the entire system with the latest updated security software (EDR/XDR) that can detect and remove hidden malware.
Recommended use: Avast, AVG, Bitdefender (free version) or latest updated Windows Defender, (Kaspersky free version has not yet detected this malware).
Along with that, perform a manual scan: Check on Process Explorer, if you see a process without a digital signature or a fake text file name.
Check tcpview to see network connection - if it detects connection to IP 27[.]124[.]9[.]13 then it needs to be handled immediately.
Administrators need to urgently block on the firewall, preventing access to the malicious IP address 27.124.9.13.
Source: https://baovanhoa.vn/nhip-song-so/canh-bao-ma-doc-nguy-hiem-loi-dung-viec-gop-y-du-thao-van-kien-dai-hoi-dai-bieu-toan-quoc-lan-thu-xiv-cua-dang-181494.html
![[Photo] Unique architecture of the deepest metro station in France](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/11/14/1763107592365_ga-sau-nhat-nuoc-phap-duy-1-6403-jpg.webp)
![[Photo] Unique art of painting Tuong masks](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/11/14/1763094089301_ndo_br_1-jpg.webp)
![[Photo] Special class in Tra Linh](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/11/14/1763078485441_ndo_br_lop-hoc-7-jpg.webp)
Comment (0)