LevelBlue GSOC has identified accelerating ValleyRAT campaigns delivered through fake installers and malicious emails targeting Chinese and Japanese-speaking users. The email-based attack chain uses DLL sideloading via a legitimate VLC executable to load a malicious DLL that downloads an RC4-encrypted, Donut-generated ValleyRAT payload, which is then injected into a suspended rundll32.exe process for fileless execution. The malware incorporates extensive anti-analysis checks (memory size, sleep timing, CPU count, VHD boot detection) and establishes persistence via registry Run keys.