Threat Advisory

ValleyRAT Malware Campaign Expanded over Phishing Notifications and Executable Files

Threat: Malware Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A malware campaign has been observed distributing the ValleyRAT remote access trojan (RAT) through two primary infection vectors: fraudulent software installers and malicious email messages. The campaign relies heavily on social engineering techniques, tricking victims into executing seemingly legitimate files that ultimately deploy the malware. While the lures primarily target Chinese- and Japanese-speaking users, organizations with international operations remain at risk because attackers frequently exploit regional offices and trusted business communications to gain initial access.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A malware campaign has been observed distributing the ValleyRAT remote access trojan (RAT) through two primary infection vectors: fraudulent software installers and malicious email messages. The campaign relies heavily on social engineering techniques, tricking victims into executing seemingly legitimate files that ultimately deploy the malware. While the lures primarily target Chinese- and Japanese-speaking users, organizations with international operations remain at risk because attackers frequently exploit regional offices and trusted business communications to gain initial access.[emaillocker id="1283"]

The attack chain begins when victims download a fake installer or access a ZIP archive delivered through a malicious email link. The archive contains a legitimate executable paired with a malicious DLL, enabling DLL sideloading to initiate the infection process. The malicious DLL establishes persistence by copying files to system directories, downloading the ValleyRAT payload, and executing it directly in memory using fileless techniques. The malware incorporates multiple defense-evasion mechanisms, including code obfuscation, memory size validation, sleep timing verification, process count checks, and environment detection to avoid execution within analysis sandboxes. Once active, ValleyRAT enables remote system control, maintains persistence through registry modifications, and leverages encrypted payloads and in-memory execution to reduce detection by conventional security solutions.

The ValleyRAT campaign demonstrates a combination of social engineering, stealthy malware delivery, and advanced evasion capabilities that complicate detection and incident response. Organizations should strengthen email security controls, restrict the execution of untrusted archives and executables, deploy endpoint detection and response (EDR) solutions capable of identifying DLL sideloading and memory-resident threats, and provide regular user awareness training to reduce the likelihood of successful compromise. Continuous monitoring and proactive threat hunting remain essential for identifying and containing ValleyRAT-related activity before attackers can establish long-term access.

 

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial Access T1566.002 Phishing Spearphishing Link
T1566.001 Spearphishing Attachment
T1189 Drive-by Compromise -
Execution T1204.002 User Execution Malicious File
T1059.001 Command and Scripting Interpreter PowerShell
T1106 Native API -
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Stealth T1027.002 Obfuscated Files or Information Software Packing
T1036.005 Masquerading Match Legitimate Resource Name or Location
T1055.012 Process Injection Process Hollowing
T1497.003 Virtualization/Sandbox Evasion Time Based Checks
T1497.001 System Checks
T1027.004 Obfuscated Files or Information Compile After Delivery
T1622 Debugger Evasion -
Command and Control T1071.001 Application Layer Protocol Web Protocols
T1105 Ingress Tool Transfer -
Impact T1565.001 Data Manipulation Stored Data Manipulation

 

MBC MAPPING:

Objective Behaviour ID Behaviour
Anti-Behavioral Analysis B0001 Debugger Detection
Anti-Static Analysis B0032 Executable Code Obfuscation
Collection E1113 Screen Capture
F0002 Keylogging
E1056 Input Capture
Command and Control B0030 C2 Communication
Defense Evasion B0027 Alternative Installation Location
E1055 Process Injection
F0005 Hidden Files and Directories
F0015 Hijack Execution Flow
Discovery E1082 System Information Discovery
Execution E1059 Command and Scripting Interpreter
Persistence F0012 Registry Run Keys / Startup Folder

 

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/hackers-use-fake-vlc-executable/

https://www.levelblue.com/blogs/spiderlabs-blog/an-analysis-of-valleyrat-infection-campaigns-from-fake-installers-japanese-malicious-emails

[/emaillocker]
crossmenu