An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails
LevelBlue GSOC has identified accelerating ValleyRAT campaigns delivered through fake installers and malicious emails targeting Chinese and Japanese-speaking users. The email-based attack chain uses DLL sideloading via a legitimate VLC executable to load a malicious DLL that downloads an RC4-encrypted, Donut-generated ValleyRAT payload, which is then injected into a suspended rundll32.exe process for fileless execution. The malware incorporates extensive anti-analysis checks (memory size, sleep timing, CPU count, VHD boot detection) and establishes persistence via registry Run keys.
- domainfrehf[.]oss-cn-hongkong[.]aliyuncs[.]comDomain used in the malicious email URL link; hosts the ZIP archive containing the DLL sideloading payload; shared across both Chinese and Japanese-language phishing emails
- ip154[.]92[.]16[.]22ValleyRAT payload download server; hosts xz.bin which is the RC4-encrypted ValleyRAT shellcode downloaded by the malicious DLL
- sha165168c8dd93b16d3b77092fb70c0fa6fba4dffccSHA1 hash of the ZIP archive downloaded from the phishing URL; contains the legitimate VLC EXE and malicious libvlc.dll used for DLL sideloading
- sha1e8be03f19ada1f5cec74b143e21d4939e781671dSHA1 hash of the malicious email sample used in the ValleyRAT phishing campaign
- sha1eca7ed7b699835fadc2c2997a2845864e02b8dfeSHA1 hash of the ValleyRAT payload sample encrypted with RC4; generated using Donut; confirmed as ValleyRAT through decryption with key 'zenzensu' and comparison with known samples
- urlhxxp://154[.]92[.]16[.]22/xz[.]binValleyRAT download URL contacted by the malicious DLL via wininet APIs; URL is Base64-encoded in the DLL and payload is RC4-encrypted with key 'zenzensu'
- urlhxxps://frehf[.]oss-cn-hongkong[.]aliyuncs[.]com/%E4%BA%BA%E4%BA%8B%E5%8A%9B%E8%B3%87%E6%BA%90%E9%83%A8[.]zipFull phishing URL from the malicious email; downloads the ZIP archive containing the DLL sideloading payload
Detection / Hunteropenrouter
What Happened
A type of malicious software called ValleyRAT is being spread through fake software installers and deceptive emails written in Chinese and Japanese. The emails lure victims by pretending to be about personnel changes or salary adjustments, and contain links that download a compressed file. When opened, the file uses a legitimate media player program as a disguise to secretly load malicious code. This code then downloads and runs ValleyRAT entirely in the computer's memory, making it very hard for antivirus tools to detect. The malware also includes several tricks to avoid being analyzed in security research environments. Organizations with employees or offices in Chinese-speaking regions or Japan are most at risk. Defenders should deploy endpoint detection tools capable of spotting DLL sideloading and fileless execution, train employees to recognize suspicious emails, and monitor for the specific indicators listed in this report.
Key Takeaways
- ValleyRAT campaigns identified via two vectors: fake installers targeting Chinese-speaking users and malicious emails targeting both Chinese and Japanese-speaking users, potentially by the same threat actor.
- The email-based attack chain uses DLL sideloading via a legitimate VLC media player executable to load a malicious libvlc.dll, which then downloads and executes ValleyRAT in a fileless manner.
- The malware employs multiple anti-analysis techniques including memory size checks (≤1GB), sleep timing checks, processor count checks, VHD boot detection, and junk code obfuscation.
- ValleyRAT payload is RC4-encrypted with the key 'zenzensu' and generated using Donut (position-independent code), then injected into a suspended rundll32.exe process via VirtualAllocEx/WriteProcessMemory.
- LevelBlue GSOC detections of ValleyRAT nearly doubled in 2026 compared to 2025, indicating accelerating campaign activity.
Affected Systems
- Microsoft Windows (all versions supporting wininet.dll, rundll32.exe, and registry Run keys)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Malicious email (Traditional Chinese or Japanese) with subject about personnel transfers/salary adjustments contains a URL link to download a ZIP archive
- Execution: ZIP contains a legitimate VLC media player EXE and a malicious libvlc.dll; executing the EXE triggers DLL sideloading to load the malicious DLL
- Persistence: Malware copies EXE and DLL to C:\Users\Public\Documents\res\ (as msword.exe and libvld.dll) and creates registry Run key 'pornhub' for autostart
- Defense Evasion: DLL performs anti-analysis checks (memory ≤1GB, sleep timing, CPU count ≤1, VHD boot detection, junk code obfuscation); exits if any check fails
- C2/Download: DLL uses wininet APIs to download RC4-encrypted ValleyRAT payload from 154.92.16.22/xz.bin (URL is Base64-encoded in the binary)
- Execution/Injection: Payload is decrypted with RC4 key 'zenzensu', then injected into a suspended rundll32.exe process via VirtualAllocEx/WriteProcessMemory and resumed via ResumeThread; payload never touches disk (fileless)
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: LevelBlue GSOC EDR hunting query
The article presents a LevelBlue GSOC proactive hunting query (Figure 19) that detects ValleyRAT by searching for specific module names derived from leaked ValleyRAT source code Visual Studio project files, with an additional condition requiring the module to be a floating (reflexively loaded) module. The query is not reproduced in the article and is implemented as part of LevelBlue's MDR Proactive Hunting service due to its high false-positive rate.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | The fileless execution via suspended rundll32.exe process injection and reflexively loaded floating modules would be visible to EDR tools with memory scanning and module loading telemetry. However, the payload never touches disk, and the use of a legitimate VLC binary for DLL sideloading may blend in with normal activity without behavioral detection rules. |
| Network Visibility | Medium | The download of the ValleyRAT payload from 154.92.16.22 over HTTP is visible at the network level. The phishing URL on Alibaba Cloud OSS (aliyuncs.com) may blend in with legitimate cloud traffic. The Base64-encoded URL in the DLL binary is not visible at the network level. |
| Detection Difficulty | Hard | ValleyRAT employs fileless execution, RC4 encryption, DLL sideloading via legitimate binaries, multiple anti-analysis checks, and Donut-generated shellcode. The payload never touches disk. Detection requires behavioral analysis of process injection patterns, floating module identification, and correlation across email, network, and endpoint telemetry. The article notes the hunting query itself has a high false-positive rate. |
Required Log Sources
- EDR process creation and module loading events
- EDR memory scanning / reflexive module detection
- DNS resolution logs
- HTTP proxy / web gateway logs
- Email security gateway logs
- Windows Registry modification events (Sysmon Event ID 13 or equivalent)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes loading DLLs from non-standard directories such as C:\Users\Public\Documents, which is unusual for legitimate applications and may indicate DLL sideloading or payload staging. | EDR module load events, Sysmon Event ID 7 (Image Loaded) | Execution / Persistence | Low — legitimate applications rarely load DLLs from user-writable public document directories |
| Consider hunting for rundll32.exe processes created in a suspended state followed by memory write operations and thread resumption, which may indicate process hollowing for fileless payload execution. | EDR process creation, memory allocation, and thread manipulation events; Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) | Execution / Defense Evasion | Medium — some legitimate software uses similar patterns, requiring correlation with other indicators |
| Consider hunting for reflexively loaded (floating) DLL modules with unusual or non-English module names, particularly those matching known ValleyRAT module names from leaked source code. | EDR floating module detection, memory scanning results | Execution | High — the article explicitly notes this approach generates significant false positives and is only viable as a proactive hunting query with analyst validation |
| Consider hunting for registry Run key values with unusual or suspicious names (e.g., unrelated to legitimate software) that point to executables in non-standard paths. | Sysmon Event ID 13 (RegistryEvent ValueSet), EDR registry modification events | Persistence | Low to Medium — while Run key usage is common, unusual value names combined with non-standard executable paths are suspicious |
| Consider hunting for network connections to IP addresses hosting downloadable binaries over HTTP (not HTTPS), particularly when initiated by processes in user-writable directories. | EDR network connection events, DNS logs, HTTP proxy logs | Command and Control / Ingress Tool Transfer | Medium — HTTP binary downloads occur in legitimate contexts; correlation with process path and reputation is needed |
Control Gaps
- Traditional signature-based AV would not detect the fileless ValleyRAT payload executed from memory
- DLL sideloading via a legitimate, signed VLC binary may bypass application allowlisting controls
- The Base64-encoded download URL embedded in the DLL would not be detected by network-level URL filtering without SSL inspection or endpoint-based URL analysis
- Anti-analysis checks may cause the malware to exit in automated sandbox environments, producing clean results and evading detonation-based detection
- Email security gateways may not flag emails from free email services (outlook.com, gmail.com, hotmail.com) without additional content-based rules
Key Behavioral Indicators
- Legitimate VLC media player executable (vlc.exe) loading a DLL named libvlc.dll from a non-standard directory (e.g., user Downloads or temp)
- Executable with Japanese filename (【給与調整のお知らせ】.exe) with VLC media player metadata in file properties
- Files copied to C:\Users\Public\Documents\res\ directory (msword.exe and libvld.dll)
- Registry Run key value named 'pornhub' pointing to msword.exe in C:\Users\Public\Documents\res\
- rundll32.exe process created in suspended state followed by VirtualAllocEx and WriteProcessMemory API calls
- Network connection to 154.92.16.22 over HTTP requesting /xz.bin
- Floating/reflexively loaded modules with names matching leaked ValleyRAT project files (e.g., 上线模块.dll, K360.dll)
- Process establishing persistence for GFIRestart64.exe via Windows Run registry key
False Positive Assessment
Medium — The network and file hash IOCs are highly specific with low false-positive risk. However, the module-name-based hunting query described in the article explicitly has a high false-positive rate, requiring analyst validation. Behavioral indicators such as DLL sideloading via legitimate VLC binaries and rundll32.exe process creation may generate moderate false positives depending on the environment's baseline activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider searching endpoint and network logs for the identified IOCs (IP 154.92.16.22, domain frehf.oss-cn-hongkong.aliyuncs.com, SHA1 hashes) to identify potential compromises.
- If compromised systems are identified, consider isolating affected hosts from the network and performing a clean operating system reinstallation, as ValleyRAT is a RAT capable of remote control.
- Review EDR and security logs on identified compromised systems to determine what actions the attacker may have performed, including lateral movement or data access.
- Consider blocking the identified malicious IP (154.92.16.22) and domain (frehf.oss-cn-hongkong.aliyuncs.com) at network firewalls, proxies, and DNS resolution layers if supported by your infrastructure.
Infrastructure Hardening
- Evaluate whether your email security gateway can be configured to flag or block emails from free email services (outlook.com, gmail.com, hotmail.com) that contain URL links and business-themed content such as salary or personnel matters.
- Consider implementing application allowlisting that restricts execution of programs from user-writable directories such as C:\Users\Public\Documents.
- If your EDR supports behavioral detection rules, consider enabling or creating rules for DLL sideloading detection, process hollowing via suspended rundll32.exe, and reflexive module loading.
- Evaluate whether network-level blocking of HTTP (non-HTTPS) binary downloads from unknown IP addresses is feasible for your environment.
User Protection
- Consider deploying EDR solutions capable of detecting DLL sideloading, process injection, and Donut-generated shellcode execution.
- If applicable to your organization, consider implementing browser-based URL filtering that blocks downloads of executable content from cloud storage platforms.
- Evaluate whether your endpoint protection can detect and block the creation of registry Run key values with unusual names or pointing to executables in non-standard paths.
Security Awareness
- Consider incorporating the identified phishing characteristics into existing security awareness training: business-themed emails from free email services, emails instructing recipients to download and open ZIP files on a PC, and executables with Japanese filenames.
- Educate employees that legitimate business communications about personnel or salary matters should not come from free email services, and that executable files with non-English filenames are highly suspicious.
- Consider advising employees to report emails that instruct them to download files from URLs and open them specifically on a computer rather than a mobile device, as this pattern is consistent with malware delivery.
- If your organization has offices or employees in Chinese-speaking regions or Japan, consider providing targeted awareness training about these ValleyRAT campaign patterns.
MITRE ATT&CK Mapping
Initial Access
Execution
Persistence
Defense Evasion
Command and Control
Additional IOCs
- Urls:
hxxps://frehf[.]oss-cn-hongkong[.]aliyuncs[.]com/%E4%BA%BA%E4%BA%8B%E5%8A%9B%E8%B3%87%E6%BA%90%E9%83%A8.zip- Full phishing URL from the malicious email; downloads the ZIP archive containing the DLL sideloading payload
- Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pornhub- Registry Run key value created for persistence; points to copied msword.exe at C:\Users\Public\Documents\res\msword.exe to auto-execute on login
- File Paths:
C:\Users\Public\Documents\res\msword.exe- Destination path where the malicious EXE (originally named 【給与調整のお知らせ】.exe, a legitimate VLC binary) is copied for persistenceC:\Users\Public\Documents\res\libvld.dll- Destination path where the malicious DLL (originally named libvlc.dll) is copied for persistence alongside msword.exe
- Command Lines:
- Purpose: Creating a suspended process for shellcode injection of the decrypted ValleyRAT payload | Tools:
rundll32.exe| Stage: Execution/Injection |rundll32.exe
- Purpose: Creating a suspended process for shellcode injection of the decrypted ValleyRAT payload | Tools:
- Other:
[email protected]- Sender email address used in the malicious phishing email; free email service used to distribute ValleyRATzenzensu- RC4 encryption key used to decrypt the downloaded ValleyRAT payload; embedded in the malicious DLLGFIRestart64.exe- Filename used by the decrypted ValleyRAT sample for persistence via Windows Run registry key; consistent with previously reported ValleyRAT samples上线模块.dll- Floating module name loaded by ValleyRAT; derived from leaked ValleyRAT source code Visual Studio project files; used as a detection indicatorK360.dll- Floating module name loaded by ValleyRAT; observed in EDR investigation console as a reflexively loaded module
Related
- Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden·3
- Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities·3
- Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India·3