ValleyRAT fake installer attack chain | Image: LevelBlue
| At a glance | Details |
|---|---|
| Malware family | ValleyRAT (Remote Access Trojan) |
| Threat actor | Often linked to SilverFox; attribution disputed and unconfirmed |
| Targets | Japanese and Chinese-speaking users, including overseas corporate branches |
| Delivery vector | Malicious emails and fake installers |
| Key capabilities | DLL sideloading, fileless injection, anti-analysis checks |
| Source | LevelBlue SpiderLabs / GSOC |
TL;DR
Researchers at LevelBlue tracked a new email campaign that spreads the ValleyRAT malware to Japanese and Chinese speakers. The attack hides behind a legitimate VLC media player file and runs the final payload only in memory. Detections nearly doubled year over year, so the threat is growing fast.
Delivery
The campaign starts with a lure email, not a broad spam blast. One sample used Traditional Chinese and referenced personnel transfers and salary changes. According to LevelBlue’s ValleyRAT analysis, the message links to a ZIP archive rather than an attachment. That archive holds a signed EXE and a malicious DLL.
The team also found a matching Japanese-language email on the same domain. Because both lures share infrastructure, LevelBlue suspects a single actor behind them. Still, the researchers stop short of a firm conclusion. As they note, a shared domain alone cannot prove common authorship.
Infection Chain
The trick relies on DLL sideloading. The EXE is a real VLC media player binary, yet it loads a rogue “libvlc.dll” placed beside it. Windows trusts the signed executable, so the malicious library runs quietly.
Next, the DLL copies both files into a fixed folder and adds a registry Run key for persistence. Then it fetches the ValleyRAT payload from an attacker server. The download address sits inside the code as a Base64 string, and the payload arrives RC4-encrypted.
Anti-Analysis Checks
ValleyRAT will not run inside a sandbox. First, the loader inspects memory size, processor count, and sleep timing. It also checks a native VHD boot flag and packs the code with useless junk routines. If any test fails, the malware simply stops.
Command-and-Control and Execution
The payload never touches disk. Instead, the loader spawns a suspended system process and injects the decrypted code straight into memory. This fileless design leaves few forensic traces. LevelBlue also confirmed the payload was built with Donut, a tool that produces position-independent shellcode.
Once active, ValleyRAT gives operators remote control of the host. The recovered sample reused a persistence routine tied to a known filename. That same behavior appeared in earlier ValleyRAT samples documented by Morphisec, which supports the family identification.
Who Is Behind It
Many reports link ValleyRAT to the SilverFox group. However, that attribution stays disputed. LevelBlue and other researchers argue that the tool alone cannot tie every campaign to one actor. The toolsets differ too much across attacks. For now, treat the operator as suspected, not confirmed.
Detection and Defense
LevelBlue built detection logic around module names pulled from leaked ValleyRAT source code. To cut false positives, the query also requires the module to load as a floating module.
Defenders can take practical steps today. Block or inspect ZIP links delivered by email, especially those citing HR or payroll topics. Watch for a signed VLC binary running from unusual folders, since that pattern signals DLL sideloading. Additionally, monitor new Run registry keys and injection into freshly spawned system processes. Finally, treat overseas branches as priority targets, because attackers use them to reach larger networks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.