ValleyRAT Targets English Job Seekers by Trojanizing Foxit PDF Reader with DLL Sideloading

A sophisticated malware campaign traditionally focused on Chinese-speaking targets has expanded its scope, now aggressively targeting English-speaking job seekers and human resources professionals. A new report from Trend Micro reveals that the ValleyRAT campaign is using weaponized versions of the popular Foxit PDF Reader to infiltrate systems, leveraging the emotional urgency of the job market to bypass defenses.

The attack begins with a classic spear-phishing email containing a malicious archive. These archives often bear enticing names like Overview_of_Work_Expectations.zip or Authentic_Job_Application_Form.zip to lure victims into opening them.

Inside, instead of a standard document, users find a file named Compensation_Benefits_Commission.exe. Crucially, this file masquerades as a legitimate PDF. “This executable also uses the Foxit logo as its icon to look more convincing,” the report explains. “Upon seeing the Foxit logo, most users would assume that the file is in the popular PDF (.pdf) format and might not notice that it is actually an executable (.exe).”

The malware’s entry method relies on a technique called DLL side-loading. The malicious executable is actually a renamed version of the legitimate FoxitPDFReader.exe.

When a victim clicks the file, it attempts to load necessary system libraries. However, the attackers have placed a malicious DLL named msimg32.dll in the same folder. Because Windows prioritizes local files, the legitimate Foxit Reader unknowingly loads the malware instead of the real system file.

“The archive file from the email lure contains a renamed version of FoxitPDFReader.exe, designed to make the attack more stealthy and provide a controlled way to load malicious code.”

Once executed, ValleyRAT establishes a foothold on the victim’s machine. As a Remote Access Trojan (RAT), its capabilities are extensive. It can monitor user activity, steal sensitive data, and potentially download additional plugins to further compromise the network.

The campaign’s sophistication is evident in its evasion tactics. “The campaign […] demonstrates a layered application of tried-and-tested techniques: social-engineering lures targeting job seekers, obfuscation through deeply nested directory paths, and execution via DLL sideloading.”

While ValleyRAT has historically targeted Chinese speakers, this campaign marks a notable shift. The use of English-language filenames and job-related lures suggests a broader, more opportunistic targeting strategy.

Related Posts:

• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
• ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
• Foxit Reader exists multiple security flaws that can lead to remote code execution
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique