Fake VLC Installer Delivers ValleyRAT Malware
Key Takeaways Cybercriminals are leveraging a highly deceptive campaign by embedding ValleyRAT malware within seemingly legitimate VLC media player installers. The attack chain initiates via phishing...
Key Takeaways
- Cybercriminals are leveraging a highly deceptive campaign by embedding ValleyRAT malware within seemingly legitimate VLC media player installers.
- The attack chain initiates via phishing emails, primarily targeting Chinese and Japanese-speaking users, that prompt the download of a malicious ZIP archive.
- ValleyRAT is a remote access trojan (RAT) that grants attackers full control over infected systems, posing a significant data breach and operational risk.
- The malware employs sophisticated evasion tactics, including DLL sideloading, anti-analysis checks, and fileless execution, making detection challenging for traditional security tools.
- LevelBlue observed a significant surge in ValleyRAT activity, with detections nearly doubling between 2025 and 2026 compared to the previous year.
Sophisticated Campaign Hides ValleyRAT in Fake VLC Player
Cybersecurity researchers have uncovered a new, sophisticated campaign that exploits the trusted VLC media player to distribute ValleyRAT, a potent remote access trojan. This attack bypasses conventional security measures by camouflaging malicious code within a widely used and reputable application, giving attackers stealthy control over compromised systems.
Table Of Content
The operation begins with a seemingly innocuous phishing email. Victims receive messages designed to appear as routine internal communications, such as notifications about “personnel transfers” or “salary changes.” These emails include a link leading to a malicious download. Once the downloaded file is executed, it triggers a multi-stage infection process that culminates in a hidden backdoor operating silently in the system’s memory, effectively evading many traditional antivirus solutions.
Analysts at LevelBlue identified this campaign while observing a marked increase in ValleyRAT detections through their Global Security Operations Center. While ValleyRAT has been active since 2023, its prevalence sharply accelerated through 2025 and into 2026, with activity nearly doubling year-over-year. According to LevelBlue said in a report, the email-based variant of this campaign specifically targets users in Chinese and Japanese-speaking regions. However, the global reach of companies with offices in these areas broadens the potential impact significantly.
What distinguishes this particular campaign is its ingenious use of a legitimate application as a smokescreen. Rather than developing entirely new malware that security software might instantly flag, the threat actors have repurposed the genuine VLC executable. They then pair it with a corrupted version of one of its essential supporting files to bypass detection mechanisms.
Hackers Leverage Legitimate VLC Executable and Malicious libvlc.dll
The infection sequence initiates when a user clicks the phishing email link, resulting in the download of a ZIP archive. This archive contains two critical files: an executable and a DLL. The executable bears a Japanese filename relevant to the phishing email’s subject, yet its internal file description and hash correspond to a genuine VLC media player build, creating a false sense of security.
The accompanying file, named libvlc.dll, is a dynamic link library that VLC typically requires for its normal operation. Windows operating systems inherently trust signed applications like VLC. Consequently, when the fake executable is launched, it automatically loads this malicious DLL – a technique known as DLL sideloading. This method allows the harmful code to execute under the guise of a legitimate, trusted program.
Once loaded, the malicious DLL performs several critical steps. It copies both the fake executable and itself to a predefined directory on the system. To ensure persistence across reboots, it creates a registry entry that automatically relaunches the executable each time the victim logs in. Following this, the malware establishes communication with a remote command-and-control server to retrieve the final ValleyRAT payload.
Evasion Tactics and Fileless Execution
ValleyRAT’s delivery mechanism incorporates extensive measures to avoid detection by sandboxes and analysis environments. Before executing its primary malicious functions, the malware performs several checks: it queries available system memory, counts the number of processor cores, and precisely measures the execution time of a sleep command. These checks are designed to identify anomalies characteristic of virtualized testing environments, which often exhibit different behaviors than real user machines.
If any of these environmental checks indicate that the malware is being analyzed, it immediately terminates its operation, making it exceedingly difficult for security researchers to observe its full capabilities. Furthermore, the malware’s code is deliberately padded with large sections of meaningless, junk functions. This technique is specifically employed to hinder and slow down any attempts at reverse engineering.
Perhaps the most concerning aspect of this campaign is the method used for delivering the final payload. The downloaded ValleyRAT component, which is encrypted using a basic RC4 cipher, is decrypted directly in memory. It is then injected into a suspended system process without ever being written to disk. This fileless approach is highly effective at evading traditional antivirus scans, as there is no tangible malicious file left behind for them to detect.
What You Should Do
- Employee Training: Conduct regular, comprehensive cybersecurity awareness training for all employees. Emphasize the importance of identifying phishing emails, particularly those with unusual subject lines, sender addresses (e.g., free webmail domains for business communications), or suspicious links/attachments. Train users to recognize inconsistencies like unexpected Japanese filenames on executables or mismatched file descriptions.
- Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting sophisticated attack techniques such as DLL sideloading, unusual process injection, and other memory-resident threats. These tools provide visibility beyond traditional file-based detection.
- Email Security Gateways: Implement robust email security gateways with advanced threat protection, including sandboxing for attachments and URL filtering, to block malicious emails before they reach end-users.
- Principle of Least Privilege: Enforce the principle of least privilege for all users and applications to minimize the impact of a successful compromise.
- Network Segmentation: Segment your network to limit lateral movement in case an endpoint is compromised, reducing the potential spread of malware.
- Regular Backups: Maintain regular, encrypted backups of critical data, and store them securely offline or in immutable storage to facilitate recovery in the event of a successful attack.
- Incident Response Plan: Ensure your organization has a well-defined incident response plan. If compromise is suspected, immediately isolate the affected system from the network and conduct a thorough forensic analysis. In severe cases, a full operating system reinstallation may be necessary.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| SHA1 | e8be03f19ada1f5cec74b143e21d4939e781671d | Malicious email |
| Domain | frehf.oss-cn-hongkong.aliyuncs[.]com | Domain part of the URL in the malicious email |
| SHA1 | 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc | ZIP archive (fake VLC executable) |
| URL | http://154.92.16.22/xz.bin | ValleyRAT download URL |
| SHA1 | eca7ed7b699835fadc2c2997a2845864e02b8dfe | ValleyRAT sample encrypted by RC4 |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.


No Comment! Be the first one.