ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
Key Takeaways A recent campaign leverages the trusted VLC media player to deploy ValleyRAT, a sophisticated remote access trojan. Attackers use DLL sideloading by pairing a legitimate VLC executable...
Key Takeaways
- A recent campaign leverages the trusted VLC media player to deploy ValleyRAT, a sophisticated remote access trojan.
- Attackers use DLL sideloading by pairing a legitimate VLC executable with a malicious
libvlc.dllto bypass traditional security measures. - The malware employs advanced evasion tactics, including environmental checks and fileless execution, making detection challenging.
- ValleyRAT activity has seen a significant increase since 2023, accelerating through 2025 and 2026.
- Initial targets include Chinese and Japanese-speaking users via phishing emails disguised as HR communications.
Cybersecurity researchers have uncovered a new, highly deceptive campaign that exploits the widely used VLC media player to distribute ValleyRAT, a potent remote access trojan (RAT). This sophisticated attack vector allows threat actors to gain full control over compromised systems, leveraging the inherent trust users place in legitimate software.
Table Of Content
The campaign initiates with targeted phishing emails, often themed around sensitive topics such as personnel changes or salary adjustments. These messages contain links that, when clicked, lead to the download of a malicious archive. This archive ultimately facilitates the installation of ValleyRAT, enabling attackers to operate covertly within infected environments, often bypassing conventional antivirus defenses.
Analysts at LevelBlue first identified this surge in ValleyRAT activity while monitoring their Global Security Operations Center. While the malware has been active since 2023, its prevalence has nearly doubled between 2025 and 2026. According to LevelBlue said in a report, the email-based component of this campaign primarily targets users in Chinese and Japanese-speaking regions, though the global reach of many organizations suggests a broader risk.
Exploiting Trust: Legitimate VLC and Malicious DLLs
The ingenuity of this attack lies in its use of a trusted application as a decoy. Instead of relying on easily flagged custom malware, the threat actors bundle a genuine VLC media player executable with a corrupted version of a critical supporting file. This tactic allows the malicious payload to evade immediate detection by security software.
The infection chain begins when a victim opens a ZIP archive downloaded from the phishing email. This archive contains two files: an executable and a Dynamic Link Library (DLL). The executable is cleverly named to align with the phishing email’s subject, often using Japanese characters, yet its internal metadata and hash confirm it as a legitimate VLC media player build. The accompanying file, named libvlc.dll, is a standard component that VLC requires to function correctly.
Upon execution, the legitimate VLC application loads the malicious libvlc.dll file. This technique, known as DLL sideloading, leverages Windows’ trust in signed applications. The malicious code then executes under the guise of a recognized and trusted program. After initial execution, the malicious DLL copies both the legitimate VLC executable and itself to a persistent directory and establishes a registry entry to ensure the RAT launches automatically upon system reboot.
Following this, the malware establishes communication with a remote server to retrieve the final ValleyRAT payload. For a detailed technical breakdown of this process, refer to the analysis by LevelBlue.
Sophisticated Evasion Tactics and Fileless Execution
ValleyRAT incorporates several advanced evasion techniques designed to bypass security sandboxes and analysis environments. Before executing its core malicious functions, the malware performs checks on system memory, processor core count, and the precise timing of sleep commands. These checks are crucial because virtual analysis environments often exhibit distinct behaviors compared to genuine user machines.
If these environmental checks indicate the presence of a monitoring system, the malware ceases its activity, effectively masking its true capabilities from researchers. Furthermore, the code is deliberately bloated with extraneous, non-functional code, a tactic intended to complicate and slow down reverse engineering efforts.
Perhaps the most concerning aspect of ValleyRAT’s delivery is its fileless execution. The final payload, encrypted with a basic RC4 cipher, is decrypted directly into memory. Rather than being written to disk, it is injected into a suspended system process. This “living off the land” approach leaves no discernible malicious files on the system, making it exceptionally difficult for traditional signature-based antivirus solutions to detect.
What You Should Do
- Employee Training: Educate staff on identifying phishing emails, especially those with unusual file names, mismatched file descriptions, or business-related emails originating from free webmail domains.
- Endpoint Detection and Response (EDR): Implement and configure EDR solutions capable of detecting advanced techniques like DLL sideloading and unusual process injection. These tools are critical for catching stealthy, fileless malware.
- Network Monitoring: Monitor network traffic for suspicious outbound connections from internal systems, particularly those to unusual IP addresses or domains.
- Email Security: Deploy robust email security gateways that can identify and block malicious attachments and phishing attempts, especially those containing ZIP archives with executables and DLLs.
- System Isolation: If a system is suspected of being compromised, immediately isolate it from the network to prevent further spread of the malware.
- Incident Response: Conduct a thorough forensic analysis of any compromised systems to understand the attacker’s actions and potential data exfiltration. In severe cases, a complete operating system reinstallation may be necessary to ensure complete remediation.
- Regular Backups: Maintain regular, secure backups of critical data to facilitate recovery in the event of a successful attack.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| SHA1 | e8be03f19ada1f5cec74b143e21d4939e781671d | Malicious email |
| Domain | frehf.oss-cn-hongkong.aliyuncs[.]com | Domain part of the URL in the malicious email |
| SHA1 | 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc | ZIP archive (fake VLC executable) |
| URL | http://154.92.16.22/xz.bin | ValleyRAT download URL |
| SHA1 | eca7ed7b699835fadc2c2997a2845864e02b8dfe | ValleyRAT sample encrypted by RC4 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.


No Comment! Be the first one.