An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails
Essential information
- Published
- 01/07/2026 03:24
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- chinese targets dll sideloading donut shellcode fake installers japanese targets phishing emails process injection valleyrat
- Related entities
- 3 indicators, 3 observables, 1 intrusion sets (apt), 18 techniques (mitre), 1 malware
Description
LevelBlue has identified two distinct ValleyRAT attack vectors: campaigns using fake installers and malicious email-based campaigns. Detection volume increased significantly from May 2025, nearly doubling in 2026. The fake installer attacks primarily target Chinese-speaking users and employ advanced techniques including Pool Party Variant 7 process injection and BYOVD methods. The malicious email campaigns target both Chinese and Japanese-speaking users, delivering ZIP archives containing EXE and DLL files that leverage DLL sideloading. The malware employs multiple evasion techniques including junk code insertion, memory size checks, sleeping duration checks, process count validation, and fileless execution using Donut-generated shellcode. ValleyRAT establishes persistence through registry modification and enables remote access capabilities for threat actors.