EXECUTIVE SUMMARY:
A malware campaign has been observed distributing the ValleyRAT remote access trojan (RAT) through two primary infection vectors: fraudulent software installers and malicious email messages. The campaign relies heavily on social engineering techniques, tricking victims into executing seemingly legitimate files that ultimately deploy the malware. While the lures primarily target Chinese- and Japanese-speaking users, organizations with international operations remain at risk because attackers frequently exploit regional offices and trusted business communications to gain initial access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malware campaign has been observed distributing the ValleyRAT remote access trojan (RAT) through two primary infection vectors: fraudulent software installers and malicious email messages. The campaign relies heavily on social engineering techniques, tricking victims into executing seemingly legitimate files that ultimately deploy the malware. While the lures primarily target Chinese- and Japanese-speaking users, organizations with international operations remain at risk because attackers frequently exploit regional offices and trusted business communications to gain initial access.[emaillocker id="1283"]
The attack chain begins when victims download a fake installer or access a ZIP archive delivered through a malicious email link. The archive contains a legitimate executable paired with a malicious DLL, enabling DLL sideloading to initiate the infection process. The malicious DLL establishes persistence by copying files to system directories, downloading the ValleyRAT payload, and executing it directly in memory using fileless techniques. The malware incorporates multiple defense-evasion mechanisms, including code obfuscation, memory size validation, sleep timing verification, process count checks, and environment detection to avoid execution within analysis sandboxes. Once active, ValleyRAT enables remote system control, maintains persistence through registry modifications, and leverages encrypted payloads and in-memory execution to reduce detection by conventional security solutions.
The ValleyRAT campaign demonstrates a combination of social engineering, stealthy malware delivery, and advanced evasion capabilities that complicate detection and incident response. Organizations should strengthen email security controls, restrict the execution of untrusted archives and executables, deploy endpoint detection and response (EDR) solutions capable of identifying DLL sideloading and memory-resident threats, and provide regular user awareness training to reduce the likelihood of successful compromise. Continuous monitoring and proactive threat hunting remain essential for identifying and containing ValleyRAT-related activity before attackers can establish long-term access.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1566.001 | Spearphishing Attachment | ||
| T1189 | Drive-by Compromise | - | |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1106 | Native API | - | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1055.012 | Process Injection | Process Hollowing | |
| T1497.003 | Virtualization/Sandbox Evasion | Time Based Checks | |
| T1497.001 | System Checks | ||
| T1027.004 | Obfuscated Files or Information | Compile After Delivery | |
| T1622 | Debugger Evasion | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1565.001 | Data Manipulation | Stored Data Manipulation |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| F0002 | Keylogging | |
| E1056 | Input Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | B0027 | Alternative Installation Location |
| E1055 | Process Injection | |
| F0005 | Hidden Files and Directories | |
| F0015 | Hijack Execution Flow | |
| Discovery | E1082 | System Information Discovery |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-use-fake-vlc-executable/
https://www.levelblue.com/blogs/spiderlabs-blog/an-analysis-of-valleyrat-infection-campaigns-from-fake-installers-japanese-malicious-emails