216.73.216.86

An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails

· Published 01/07/2026 03:24

Export JSON

Essential information

Published
01/07/2026 03:24
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
chinese targets dll sideloading donut shellcode fake installers japanese targets phishing emails process injection valleyrat
Related entities
3 indicators, 3 observables, 1 intrusion sets (apt), 18 techniques (mitre), 1 malware

Description

LevelBlue has identified two distinct attack vectors: campaigns using and malicious email-based campaigns. Detection volume increased significantly from May 2025, nearly doubling in 2026. The fake installer attacks primarily target Chinese-speaking users and employ advanced techniques including Pool Party Variant 7 and BYOVD methods. The malicious email campaigns target both Chinese and Japanese-speaking users, delivering ZIP archives containing EXE and DLL files that leverage . The malware employs multiple evasion techniques including junk code insertion, memory size checks, sleeping duration checks, process count validation, and fileless execution using Donut-generated shellcode. establishes persistence through registry modification and enables remote access capabilities for threat actors.

External references