Hackers Use Fake VLC Executable and Malicious libvlc.dll to Deploy ValleyRAT

Cybercriminals have ingeniously devised a method to bypass security measures by embedding malware within a widely trusted application. Recent research has revealed a campaign that exploits the popular VLC media player to stealthily install ValleyRAT, a remote access trojan that grants attackers complete control over compromised systems.

The attack begins with an innocuous email, often concerning personnel changes or salary updates, which includes a link to download a seemingly harmless file. However, once this file is opened, it initiates a sequence of events that culminates in a concealed backdoor operating silently in memory, evading detection by many conventional antivirus solutions.

Analysts at LevelBlue identified this campaign while monitoring a notable increase in ValleyRAT detections through their Global Security Operations Center. Although the malware has been active since 2023, its prevalence surged dramatically through 2025 and into 2026, nearly doubling in comparison to the previous year. The report shared with Cyber Security News (CSN) indicates that this malicious email campaign primarily targets Chinese and Japanese-speaking users, although the threat extends globally due to the presence of numerous international companies in these regions.

ValleyRAT fake installer attack chain (Source – LevelBlue)

What sets this campaign apart is its clever use of a legitimate application as a disguise. Instead of creating malware from scratch that could easily be flagged by antivirus software, the attackers repurpose the trusted VLC executable, combining it with a corrupted version of one of its supporting files to evade defenses undetected.

Hackers Use Legitimate VLC Executable and Malicious libvlc.dll

The infection process commences when a victim clicks a link in the phishing email, leading to the download of a ZIP archive containing two files: an executable and a DLL. The executable is camouflaged with a Japanese filename relevant to the email’s subject, yet its internal file description and hash correspond to a legitimate VLC media player build. The accompanying file, named libvlc.dll, is a component that VLC typically requires to operate.

ValleyRAT malicious email attack chain (Source – LevelBlue)

Since Windows inherently trusts signed applications like VLC, executing the fake executable prompts it to automatically load the malicious DLL, a technique known as DLL sideloading. This allows the harmful code to execute under the guise of a recognized, legitimate program name.

Once the DLL is loaded, it copies both files to a designated directory and creates a registry entry, ensuring the executable restarts each time the victim logs in, thereby maintaining the infection even after a reboot. Subsequently, it discreetly connects to a remote server to retrieve the final ValleyRAT payload.

Evasion Tactics and Fileless Execution

ValleyRAT employs sophisticated delivery mechanisms designed to evade detection in sandbox or analysis environments. Before executing any harmful actions, the malware assesses available memory, counts processor cores, and measures the duration of sleep commands, as virtual testing environments often behave differently from actual machines.

If any of these evaluations indicate that it is under scrutiny, the malware halts its operations, complicating efforts for defenders to observe its genuine behavior. Additionally, the code is laden with superfluous junk functions, aimed solely at hindering reverse engineering attempts.

Perhaps most alarming is the method by which the final payload is delivered. The ValleyRAT component, encrypted with a straightforward RC4 cipher, is decrypted directly in memory and injected into a suspended system process, avoiding any storage on disk. This fileless approach ensures that no obvious malicious files remain for traditional antivirus scans to detect.

The decrypted sample contains code that establishes persistence for GFIRestart64.exe (Source – LevelBlue)

Researchers recommend that organizations educate employees to recognize warning signs such as unusual Japanese language filenames on executables, discrepancies in file descriptions, and business emails originating from free webmail domains. Implementing endpoint detection tools capable of identifying DLL sideloading behavior and atypical process injection is also advisable, as these techniques may be too intricate for standard employee training.

For organizations already impacted, isolating the compromised system from the network and scrutinizing security logs to ascertain the actions taken by the attacker are crucial initial steps. In more severe instances, a complete operating system reinstallation may be the safest course of action.

Indicators of Compromise

Type Indicator Description
SHA1 e8be03f19ada1f5cec74b143e21d4939e781671d Malicious email
Domain frehf.oss-cn-hongkong.aliyuncs[.]com Domain part of the URL in the malicious email
SHA1 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc ZIP archive (fake VLC executable)
URL http://154.92.16.22/xz.bin ValleyRAT download URL
SHA1 eca7ed7b699835fadc2c2997a2845864e02b8dfe ValleyRAT sample encrypted by RC4

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

Tech Optimizer