Cybercriminals have ingeniously devised a method to bypass security measures by embedding malware within a widely trusted application. Recent research has revealed a campaign that exploits the popular VLC media player to stealthily install ValleyRAT, a remote access trojan that grants attackers complete control over compromised systems.
The attack begins with an innocuous email, often concerning personnel changes or salary updates, which includes a link to download a seemingly harmless file. However, once this file is opened, it initiates a sequence of events that culminates in a concealed backdoor operating silently in memory, evading detection by many conventional antivirus solutions.
Analysts at LevelBlue identified this campaign while monitoring a notable increase in ValleyRAT detections through their Global Security Operations Center. Although the malware has been active since 2023, its prevalence surged dramatically through 2025 and into 2026, nearly doubling in comparison to the previous year. The report shared with Cyber Security News (CSN) indicates that this malicious email campaign primarily targets Chinese and Japanese-speaking users, although the threat extends globally due to the presence of numerous international companies in these regions.
What sets this campaign apart is its clever use of a legitimate application as a disguise. Instead of creating malware from scratch that could easily be flagged by antivirus software, the attackers repurpose the trusted VLC executable, combining it with a corrupted version of one of its supporting files to evade defenses undetected.
Hackers Use Legitimate VLC Executable and Malicious libvlc.dll
The infection process commences when a victim clicks a link in the phishing email, leading to the download of a ZIP archive containing two files: an executable and a DLL. The executable is camouflaged with a Japanese filename relevant to the email’s subject, yet its internal file description and hash correspond to a legitimate VLC media player build. The accompanying file, named libvlc.dll, is a component that VLC typically requires to operate.
Since Windows inherently trusts signed applications like VLC, executing the fake executable prompts it to automatically load the malicious DLL, a technique known as DLL sideloading. This allows the harmful code to execute under the guise of a recognized, legitimate program name.
Once the DLL is loaded, it copies both files to a designated directory and creates a registry entry, ensuring the executable restarts each time the victim logs in, thereby maintaining the infection even after a reboot. Subsequently, it discreetly connects to a remote server to retrieve the final ValleyRAT payload.
Evasion Tactics and Fileless Execution
ValleyRAT employs sophisticated delivery mechanisms designed to evade detection in sandbox or analysis environments. Before executing any harmful actions, the malware assesses available memory, counts processor cores, and measures the duration of sleep commands, as virtual testing environments often behave differently from actual machines.
If any of these evaluations indicate that it is under scrutiny, the malware halts its operations, complicating efforts for defenders to observe its genuine behavior. Additionally, the code is laden with superfluous junk functions, aimed solely at hindering reverse engineering attempts.
Perhaps most alarming is the method by which the final payload is delivered. The ValleyRAT component, encrypted with a straightforward RC4 cipher, is decrypted directly in memory and injected into a suspended system process, avoiding any storage on disk. This fileless approach ensures that no obvious malicious files remain for traditional antivirus scans to detect.
Researchers recommend that organizations educate employees to recognize warning signs such as unusual Japanese language filenames on executables, discrepancies in file descriptions, and business emails originating from free webmail domains. Implementing endpoint detection tools capable of identifying DLL sideloading behavior and atypical process injection is also advisable, as these techniques may be too intricate for standard employee training.
For organizations already impacted, isolating the compromised system from the network and scrutinizing security logs to ascertain the actions taken by the attacker are crucial initial steps. In more severe instances, a complete operating system reinstallation may be the safest course of action.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| SHA1 | e8be03f19ada1f5cec74b143e21d4939e781671d | Malicious email |
| Domain | frehf.oss-cn-hongkong.aliyuncs[.]com | Domain part of the URL in the malicious email |
| SHA1 | 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc | ZIP archive (fake VLC executable) |
| URL | http://154.92.16.22/xz.bin | ValleyRAT download URL |
| SHA1 | eca7ed7b699835fadc2c2997a2845864e02b8dfe | ValleyRAT sample encrypted by RC4 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.