Hackers Use Fake VLC Executable and Malicious libvlc.dll to Deploy ValleyRAT

Cybercriminals have devised a sophisticated method to bypass security measures by embedding malware within a widely trusted application. Recent investigations have revealed a campaign that exploits the popular VLC media player to stealthily install ValleyRAT, a remote access trojan that grants attackers complete control over compromised systems.

The attack begins with an innocuous email, often concerning personnel transfers or salary adjustments, which includes a link to download a seemingly harmless file. However, once this file is opened, it triggers a sequence of events that culminates in the activation of a hidden backdoor, operating silently in memory and evading detection by conventional antivirus solutions.

Analysts at LevelBlue identified this campaign while observing a notable increase in ValleyRAT detections through their Global Security Operations Center. Although the malware has been active since 2023, its prevalence surged sharply through 2025 and into 2026, nearly doubling its activity compared to the previous year. The report shared with Cyber Security News (CSN) highlights that this malicious email campaign specifically targets Chinese and Japanese-speaking users, although the potential risk extends globally, given the presence of many international companies in those regions.

ValleyRAT fake installer attack chain (Source – LevelBlue)

What sets this campaign apart is its clever use of a legitimate application as a disguise. Instead of creating malware from scratch, which might easily raise alarms, the attackers repurposed the trusted VLC executable, pairing it with a corrupted version of one of its supporting files to evade detection.

Hackers Use Legitimate VLC Executable and Malicious libvlc.dll

The infection process initiates when a victim clicks a link in the phishing email, leading to the download of a ZIP archive containing two files: an executable and a DLL. The executable is disguised with a Japanese filename relevant to the email’s subject, yet its internal file description and hash correspond to a legitimate VLC media player build. The accompanying file, named libvlc.dll, is a standard component that VLC relies on for its functionality.

ValleyRAT malicious email attack chain (Source – LevelBlue)

Given that Windows trusts signed applications like VLC, executing the fake executable prompts it to automatically load the malicious DLL, a technique known as DLL sideloading. This allows the harmful code to run under the guise of a recognized program.

Once the DLL is loaded, it copies both files to a designated directory and creates a registry entry to ensure the executable runs every time the victim logs in, thereby maintaining the infection even after a reboot. Subsequently, it discreetly connects to a remote server to retrieve the final ValleyRAT payload.

Evasion Tactics and Fileless Execution

ValleyRAT employs a range of evasion tactics to avoid detection in sandbox or analysis environments. Before executing any harmful actions, the malware performs checks on the available memory, counts processor cores, and measures the duration of a sleep command, as virtual environments often exhibit different behaviors than actual machines.

If any of these checks indicate that it is under observation, the malware halts its operations, making it significantly more challenging for defenders to analyze its true behavior. Additionally, the code is laden with meaningless junk functions designed to slow down reverse engineering efforts.

Perhaps most alarming is the delivery method of the final payload. The ValleyRAT component, encrypted with a basic RC4 cipher, is decrypted directly in memory and injected into a suspended system process, avoiding any storage on disk. This fileless approach ensures that no obvious malicious files remain for traditional antivirus scans to detect.

The decrypted sample contains code that establishes persistence for GFIRestart64.exe (Source – LevelBlue)

Researchers advise organizations to train employees to recognize warning signs, such as unusual Japanese language filenames on executables, mismatched file descriptions, and business emails originating from free webmail domains. Additionally, deploying endpoint detection tools capable of identifying DLL sideloading behavior and unusual process injection is recommended, as these techniques may be too intricate for standard employee training alone.

For organizations already impacted by this campaign, isolating the compromised system from the network and reviewing security logs to ascertain the actions taken by the attacker are critical initial steps. In more severe cases, a complete operating system reinstallation may be the safest course of action.

Indicators of Compromise

Type Indicator Description
SHA1 e8be03f19ada1f5cec74b143e21d4939e781671d Malicious email
Domain frehf.oss-cn-hongkong.aliyuncs[.]com Domain part of the URL in the malicious email
SHA1 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc ZIP archive (fake VLC executable)
URL http://154.92.16.22/xz.bin ValleyRAT download URL
SHA1 eca7ed7b699835fadc2c2997a2845864e02b8dfe ValleyRAT sample encrypted by RC4

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

Tech Optimizer