Cybercriminals have devised a sophisticated method to bypass security measures by embedding malware within a widely trusted software. Experts have revealed a campaign exploiting the popular VLC media player to discreetly deploy ValleyRAT, a remote access trojan that grants attackers complete control over compromised systems.
Email Phishing as Initial Attack Vector
The attack begins with a seemingly benign email. Recipients receive messages regarding personnel changes or salary adjustments, accompanied by a link to download a file. Once accessed, this file initiates a sequence culminating in a concealed backdoor, largely undetectable by conventional antivirus solutions.
Analysts at LevelBlue uncovered this campaign while monitoring a significant increase in ValleyRAT detections via their Global Security Operations Center. The malware has been active since 2023, but its prevalence surged significantly through 2025 and into 2026, nearly doubling from the previous year. The report, shared with Cyber Security News, highlights that the campaign specifically targets Chinese and Japanese-speaking users, though the risk extends globally due to widespread corporate presence in these regions.
Disguised VLC Executable and Malicious DLL
A notable aspect of this campaign is the utilization of a legitimate application for disguise. Rather than crafting new malware detectable by antivirus software, attackers modified the trusted VLC executable and combined it with a corrupted support file to evade detection.
The infection begins when a user clicks a link in the phishing email, prompting the download of a ZIP archive containing an executable and a DLL. The executable, masquerading with a Japanese filename, internally matches a genuine VLC build, while the DLL, named libvlc.dll, is a standard VLC component.
Windows’ trust in signed applications like VLC allows the fake executable to automatically load the malicious DLL, a technique known as DLL sideloading. This enables the execution of harmful code under the guise of a legitimate program.
Advanced Evasion Techniques
ValleyRAT employs sophisticated tactics to avoid detection in sandbox or analysis environments. It checks available memory, counts processor cores, and measures the duration of sleep commands, ceasing operations if it detects a monitoring environment.
The payload, encrypted using RC4, is decrypted directly in memory and injected into a suspended system process, avoiding traditional antivirus detection. This fileless approach leaves no traceable malicious files, complicating detection efforts.
Experts advise training employees to identify warning signs such as unusual Japanese filenames on executables, mismatched file descriptions, and business emails from free webmail domains. Implementing endpoint detection tools capable of identifying DLL sideloading and unusual process injection is also recommended.
For affected organizations, isolating compromised systems and reviewing security logs to determine attacker actions are crucial initial steps. In severe cases, a full operating system reinstall may be necessary.
This campaign underscores the potential for exploitation of trusted software, emphasizing the need for vigilance against small inconsistencies in emails and file properties as ValleyRAT continues to evolve its evasion techniques.
