Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Home/Threats/ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
Threats

ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems

Key Takeaways A recent campaign leverages the trusted VLC media player to deploy ValleyRAT, a sophisticated remote access trojan. Attackers use DLL sideloading by pairing a legitimate VLC executable...

Sarah simpson
Sarah simpson
July 2, 2026 4 Min Read
4 0

Key Takeaways

  • A recent campaign leverages the trusted VLC media player to deploy ValleyRAT, a sophisticated remote access trojan.
  • Attackers use DLL sideloading by pairing a legitimate VLC executable with a malicious libvlc.dll to bypass traditional security measures.
  • The malware employs advanced evasion tactics, including environmental checks and fileless execution, making detection challenging.
  • ValleyRAT activity has seen a significant increase since 2023, accelerating through 2025 and 2026.
  • Initial targets include Chinese and Japanese-speaking users via phishing emails disguised as HR communications.

Cybersecurity researchers have uncovered a new, highly deceptive campaign that exploits the widely used VLC media player to distribute ValleyRAT, a potent remote access trojan (RAT). This sophisticated attack vector allows threat actors to gain full control over compromised systems, leveraging the inherent trust users place in legitimate software.

Table Of Content

  • Key Takeaways
  • Exploiting Trust: Legitimate VLC and Malicious DLLs
  • Sophisticated Evasion Tactics and Fileless Execution
  • What You Should Do
  • Indicators of Compromise

The campaign initiates with targeted phishing emails, often themed around sensitive topics such as personnel changes or salary adjustments. These messages contain links that, when clicked, lead to the download of a malicious archive. This archive ultimately facilitates the installation of ValleyRAT, enabling attackers to operate covertly within infected environments, often bypassing conventional antivirus defenses.

Analysts at LevelBlue first identified this surge in ValleyRAT activity while monitoring their Global Security Operations Center. While the malware has been active since 2023, its prevalence has nearly doubled between 2025 and 2026. According to LevelBlue said in a report, the email-based component of this campaign primarily targets users in Chinese and Japanese-speaking regions, though the global reach of many organizations suggests a broader risk.

Exploiting Trust: Legitimate VLC and Malicious DLLs

The ingenuity of this attack lies in its use of a trusted application as a decoy. Instead of relying on easily flagged custom malware, the threat actors bundle a genuine VLC media player executable with a corrupted version of a critical supporting file. This tactic allows the malicious payload to evade immediate detection by security software.

The infection chain begins when a victim opens a ZIP archive downloaded from the phishing email. This archive contains two files: an executable and a Dynamic Link Library (DLL). The executable is cleverly named to align with the phishing email’s subject, often using Japanese characters, yet its internal metadata and hash confirm it as a legitimate VLC media player build. The accompanying file, named libvlc.dll, is a standard component that VLC requires to function correctly.

Upon execution, the legitimate VLC application loads the malicious libvlc.dll file. This technique, known as DLL sideloading, leverages Windows’ trust in signed applications. The malicious code then executes under the guise of a recognized and trusted program. After initial execution, the malicious DLL copies both the legitimate VLC executable and itself to a persistent directory and establishes a registry entry to ensure the RAT launches automatically upon system reboot.

Following this, the malware establishes communication with a remote server to retrieve the final ValleyRAT payload. For a detailed technical breakdown of this process, refer to the analysis by LevelBlue.

Sophisticated Evasion Tactics and Fileless Execution

ValleyRAT incorporates several advanced evasion techniques designed to bypass security sandboxes and analysis environments. Before executing its core malicious functions, the malware performs checks on system memory, processor core count, and the precise timing of sleep commands. These checks are crucial because virtual analysis environments often exhibit distinct behaviors compared to genuine user machines.

If these environmental checks indicate the presence of a monitoring system, the malware ceases its activity, effectively masking its true capabilities from researchers. Furthermore, the code is deliberately bloated with extraneous, non-functional code, a tactic intended to complicate and slow down reverse engineering efforts.

Perhaps the most concerning aspect of ValleyRAT’s delivery is its fileless execution. The final payload, encrypted with a basic RC4 cipher, is decrypted directly into memory. Rather than being written to disk, it is injected into a suspended system process. This “living off the land” approach leaves no discernible malicious files on the system, making it exceptionally difficult for traditional signature-based antivirus solutions to detect.

What You Should Do

  • Employee Training: Educate staff on identifying phishing emails, especially those with unusual file names, mismatched file descriptions, or business-related emails originating from free webmail domains.
  • Endpoint Detection and Response (EDR): Implement and configure EDR solutions capable of detecting advanced techniques like DLL sideloading and unusual process injection. These tools are critical for catching stealthy, fileless malware.
  • Network Monitoring: Monitor network traffic for suspicious outbound connections from internal systems, particularly those to unusual IP addresses or domains.
  • Email Security: Deploy robust email security gateways that can identify and block malicious attachments and phishing attempts, especially those containing ZIP archives with executables and DLLs.
  • System Isolation: If a system is suspected of being compromised, immediately isolate it from the network to prevent further spread of the malware.
  • Incident Response: Conduct a thorough forensic analysis of any compromised systems to understand the attacker’s actions and potential data exfiltration. In severe cases, a complete operating system reinstallation may be necessary to ensure complete remediation.
  • Regular Backups: Maintain regular, secure backups of critical data to facilitate recovery in the event of a successful attack.

Indicators of Compromise

Type Indicator Description
SHA1 e8be03f19ada1f5cec74b143e21d4939e781671d Malicious email
Domain frehf.oss-cn-hongkong.aliyuncs[.]com Domain part of the URL in the malicious email
SHA1 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc ZIP archive (fake VLC executable)
URL http://154.92.16.22/xz.bin ValleyRAT download URL
SHA1 eca7ed7b699835fadc2c2997a2845864e02b8dfe ValleyRAT sample encrypted by RC4

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files

Next Post

JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Opera’s New Paste Protect Blocks Clipboard Attacks, Including ClickFix
July 2, 2026
JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
July 2, 2026
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us