Skip to content
Malware

Hackers Use Fake VLC Executable and Malicious libvlc.dll to Deploy ValleyRAT

Cybercriminals have found a clever way to slip past security defenses by hiding malware inside a program most people trust without a second thought. Researchers have uncovered a campaign that abuses the popular VLC media player to quietly install ValleyRAT, a remote access trojan that gives attacker...

· Jul 02, 2026 · 5 min read · 👁 0 views
Hackers Use Fake VLC Executable and Malicious libvlc.dll to Deploy ValleyRAT

Cybercriminals have found a clever way to slip past security defenses by hiding malware inside a program most people trust without a second thought.

Researchers have uncovered a campaign that abuses the popular VLC media player to quietly install ValleyRAT, a remote access trojan that gives attackers full control over infected computers.

The attack starts with something deceptively ordinary: an email. Victims receive a message about personnel transfers or salary changes, complete with a link to download a file.

Once opened, that file sets off a chain of events that ends with a hidden backdoor running silently in memory, invisible to many traditional antivirus tools.

Analysts from LevelBlue identified the campaign while tracking a steady rise in ValleyRAT detections through their Global Security Operations Center.

The malware has been active since 2023, but activity accelerated sharply through 2025 and into 2026, nearly doubling compared to the previous year.

LevelBlue said in a report shared with Cyber Security News (CSN) that the malicious email based version of this campaign specifically targets Chinese and Japanese speaking users, though the risk extends far beyond those regions given how many global companies operate branch offices there.

ValleyRAT fake installer attack chain (Source - LevelBlue)
ValleyRAT fake installer attack chain (Source – LevelBlue)

What makes this campaign notable is its use of a legitimate application as camouflage.

Instead of writing malware from scratch that antivirus software might flag immediately, the attackers repurposed the trusted VLC executable itself, pairing it with a corrupted version of one of its supporting files to slip past defenses undetected.

Hackers Use Legitimate VLC Executable and Malicious libvlc.dll

The infection chain begins when a victim clicks a link in the phishing email, triggering a ZIP archive download containing two files: an executable and a DLL.

The executable is disguised with a Japanese filename related to the email’s subject, yet its internal file description and hash match a genuine VLC media player build.

The accompanying file, named libvlc.dll, is a component VLC normally relies on to function.

ValleyRAT malicious email attack chain (Source - LevelBlue)
ValleyRAT malicious email attack chain (Source – LevelBlue)

Since Windows trusts signed applications like VLC, launching the fake executable causes it to load this malicious DLL automatically, a technique researchers call DLL sideloading. This lets the harmful code execute under the cover of a recognized, legitimate program name.

Once loaded, the DLL copies both files to a fixed directory and creates a registry entry so the executable relaunches every time the victim logs in, ensuring the infection survives a reboot. From there, it quietly reaches out to a remote server to fetch the final ValleyRAT payload.

Evasion Tactics and Fileless Execution

ValleyRAT’s delivery mechanism goes to considerable lengths to avoid being caught in a sandbox or analysis environment.

Before doing anything harmful, the malware checks available memory, counts processor cores, and measures how long a sleep command actually takes, since virtual testing environments often behave differently from real machines.

If any of these checks suggest it’s being watched, the malware simply stops and does nothing further, making it far harder for defenders to observe its true behavior.

The code is also padded with large amounts of meaningless junk functions designed purely to slow down anyone trying to reverse engineer it.

Perhaps most concerning is how the final payload gets delivered. The downloaded ValleyRAT component, encrypted with a simple RC4 cipher, is decrypted directly in memory and injected into a suspended system process rather than ever being saved to disk.

The decrypted sample contains code that establishes persistence for GFIRestart64.exe (Source - LevelBlue)
The decrypted sample contains code that establishes persistence for GFIRestart64.exe (Source – LevelBlue)

This fileless approach means no obvious malicious file is left behind for traditional antivirus scans to catch.

Researchers recommend that organizations train employees to recognize warning signs like unusual Japanese language filenames on executables, mismatched file descriptions, and business emails sent from free webmail domains.

Deploying endpoint detection tools capable of spotting DLL sideloading behavior and unusual process injection is also advised, since these techniques are too technical for typical employee training alone.

For organizations already affected, isolating the compromised system from the network and reviewing security logs to understand what actions the attacker performed are essential first steps. In more severe cases, a full operating system reinstall may be the safest path forward.

This campaign is a reminder that trust in familiar software names can be exploited just as easily as trust in strangers. As ValleyRAT continues evolving its evasion techniques, staying alert to small inconsistencies in emails and file properties remains one of the best defenses available.

Indicators of Compromise

TypeIndicatorDescription
SHA1e8be03f19ada1f5cec74b143e21d4939e781671dMalicious email
Domainfrehf.oss-cn-hongkong.aliyuncs[.]comDomain part of the URL in the malicious email
SHA165168c8dd93b16d3b77092fb70c0fa6fba4dffccZIP archive (fake VLC executable)
URLhttp://154.92.16.22/xz.binValleyRAT download URL
SHA1eca7ed7b699835fadc2c2997a2845864e02b8dfeValleyRAT sample encrypted by RC4

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you