Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Home/Threats/Fake VLC Installer Delivers ValleyRAT Malware
Threats

Fake VLC Installer Delivers ValleyRAT Malware

Key Takeaways Cybercriminals are leveraging a highly deceptive campaign by embedding ValleyRAT malware within seemingly legitimate VLC media player installers. The attack chain initiates via phishing...

Sarah simpson
Sarah simpson
July 2, 2026 5 Min Read
3 0

Key Takeaways

  • Cybercriminals are leveraging a highly deceptive campaign by embedding ValleyRAT malware within seemingly legitimate VLC media player installers.
  • The attack chain initiates via phishing emails, primarily targeting Chinese and Japanese-speaking users, that prompt the download of a malicious ZIP archive.
  • ValleyRAT is a remote access trojan (RAT) that grants attackers full control over infected systems, posing a significant data breach and operational risk.
  • The malware employs sophisticated evasion tactics, including DLL sideloading, anti-analysis checks, and fileless execution, making detection challenging for traditional security tools.
  • LevelBlue observed a significant surge in ValleyRAT activity, with detections nearly doubling between 2025 and 2026 compared to the previous year.

Sophisticated Campaign Hides ValleyRAT in Fake VLC Player

Cybersecurity researchers have uncovered a new, sophisticated campaign that exploits the trusted VLC media player to distribute ValleyRAT, a potent remote access trojan. This attack bypasses conventional security measures by camouflaging malicious code within a widely used and reputable application, giving attackers stealthy control over compromised systems.

Table Of Content

  • Key Takeaways
  • Sophisticated Campaign Hides ValleyRAT in Fake VLC Player
  • Hackers Leverage Legitimate VLC Executable and Malicious libvlc.dll
  • Evasion Tactics and Fileless Execution
  • What You Should Do
  • Indicators of Compromise

The operation begins with a seemingly innocuous phishing email. Victims receive messages designed to appear as routine internal communications, such as notifications about “personnel transfers” or “salary changes.” These emails include a link leading to a malicious download. Once the downloaded file is executed, it triggers a multi-stage infection process that culminates in a hidden backdoor operating silently in the system’s memory, effectively evading many traditional antivirus solutions.

Analysts at LevelBlue identified this campaign while observing a marked increase in ValleyRAT detections through their Global Security Operations Center. While ValleyRAT has been active since 2023, its prevalence sharply accelerated through 2025 and into 2026, with activity nearly doubling year-over-year. According to LevelBlue said in a report, the email-based variant of this campaign specifically targets users in Chinese and Japanese-speaking regions. However, the global reach of companies with offices in these areas broadens the potential impact significantly.

What distinguishes this particular campaign is its ingenious use of a legitimate application as a smokescreen. Rather than developing entirely new malware that security software might instantly flag, the threat actors have repurposed the genuine VLC executable. They then pair it with a corrupted version of one of its essential supporting files to bypass detection mechanisms.

Hackers Leverage Legitimate VLC Executable and Malicious libvlc.dll

The infection sequence initiates when a user clicks the phishing email link, resulting in the download of a ZIP archive. This archive contains two critical files: an executable and a DLL. The executable bears a Japanese filename relevant to the phishing email’s subject, yet its internal file description and hash correspond to a genuine VLC media player build, creating a false sense of security.

The accompanying file, named libvlc.dll, is a dynamic link library that VLC typically requires for its normal operation. Windows operating systems inherently trust signed applications like VLC. Consequently, when the fake executable is launched, it automatically loads this malicious DLL – a technique known as DLL sideloading. This method allows the harmful code to execute under the guise of a legitimate, trusted program.

Once loaded, the malicious DLL performs several critical steps. It copies both the fake executable and itself to a predefined directory on the system. To ensure persistence across reboots, it creates a registry entry that automatically relaunches the executable each time the victim logs in. Following this, the malware establishes communication with a remote command-and-control server to retrieve the final ValleyRAT payload.

Evasion Tactics and Fileless Execution

ValleyRAT’s delivery mechanism incorporates extensive measures to avoid detection by sandboxes and analysis environments. Before executing its primary malicious functions, the malware performs several checks: it queries available system memory, counts the number of processor cores, and precisely measures the execution time of a sleep command. These checks are designed to identify anomalies characteristic of virtualized testing environments, which often exhibit different behaviors than real user machines.

If any of these environmental checks indicate that the malware is being analyzed, it immediately terminates its operation, making it exceedingly difficult for security researchers to observe its full capabilities. Furthermore, the malware’s code is deliberately padded with large sections of meaningless, junk functions. This technique is specifically employed to hinder and slow down any attempts at reverse engineering.

Perhaps the most concerning aspect of this campaign is the method used for delivering the final payload. The downloaded ValleyRAT component, which is encrypted using a basic RC4 cipher, is decrypted directly in memory. It is then injected into a suspended system process without ever being written to disk. This fileless approach is highly effective at evading traditional antivirus scans, as there is no tangible malicious file left behind for them to detect.

What You Should Do

  • Employee Training: Conduct regular, comprehensive cybersecurity awareness training for all employees. Emphasize the importance of identifying phishing emails, particularly those with unusual subject lines, sender addresses (e.g., free webmail domains for business communications), or suspicious links/attachments. Train users to recognize inconsistencies like unexpected Japanese filenames on executables or mismatched file descriptions.
  • Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting sophisticated attack techniques such as DLL sideloading, unusual process injection, and other memory-resident threats. These tools provide visibility beyond traditional file-based detection.
  • Email Security Gateways: Implement robust email security gateways with advanced threat protection, including sandboxing for attachments and URL filtering, to block malicious emails before they reach end-users.
  • Principle of Least Privilege: Enforce the principle of least privilege for all users and applications to minimize the impact of a successful compromise.
  • Network Segmentation: Segment your network to limit lateral movement in case an endpoint is compromised, reducing the potential spread of malware.
  • Regular Backups: Maintain regular, encrypted backups of critical data, and store them securely offline or in immutable storage to facilitate recovery in the event of a successful attack.
  • Incident Response Plan: Ensure your organization has a well-defined incident response plan. If compromise is suspected, immediately isolate the affected system from the network and conduct a thorough forensic analysis. In severe cases, a full operating system reinstallation may be necessary.

Indicators of Compromise

Type Indicator Description
SHA1 e8be03f19ada1f5cec74b143e21d4939e781671d Malicious email
Domain frehf.oss-cn-hongkong.aliyuncs[.]com Domain part of the URL in the malicious email
SHA1 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc ZIP archive (fake VLC executable)
URL http://154.92.16.22/xz.bin ValleyRAT download URL
SHA1 eca7ed7b699835fadc2c2997a2845864e02b8dfe ValleyRAT sample encrypted by RC4

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Microsoft Outlook Bug Removes Copilot Button for Windows Users

Next Post

Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Opera’s New Paste Protect Blocks Clipboard Attacks, Including ClickFix
July 2, 2026
JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
July 2, 2026
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us